📅 Sep 1, 2025 ✍️ Cybernoz 📁 GBHackers 💬 0 ⏱️ 4 min

Hackers Exploit Email Marketing Platforms to Deliver Hidden Malware

Hackers Exploit Email Marketing Platforms to Deliver Hidden Malware

In recent months, Trustwave SpiderLabs—a LevelBlue company renowned for its threat intelligence and incident response services—has observed a marked uptick in phishing campaigns that leverage legitimate email marketing platforms to cloak malicious links.

By hijacking established infrastructure and URL redirectors, attackers are evading traditional defenses and duping recipients into divulging sensitive information.

To combat these evolving tactics, Trustwave operates PageML, a hybrid URL-scanning system that combines machine learning and deep learning with a rules-based framework.

PageML analyzes URL structure and webpage content in real time, predicting whether a destination is malicious or benign.

Despite its sophistication, recent campaigns have tested PageML’s limits, as adversaries hide behind trusted domains and multiple redirections.

Email Marketing Platforms as Phishing Vectors

Klaviyo Click-Tracking Abuse

One standout example exploits Klaviyo’s click-tracking domain, klclick3.com. Attackers craft phishing emails—often with subjects like “New Voicemail”—that contain links beginning with https://ctrk.klclick3.com.

Screenshot of the phishing email sample that uses voicemail as a lure.

A sample URL, masked as a voicemail notification, ultimately redirects through klclick3.com to a bespoke phishing page. That final page dynamically fetches the victim’s company logo via Clearbit and disables right-click functionality to thwart analysis.

Drip Global’s Tracking Domain Misuse

Similarly, phishing emails impersonating DocuSign embed links using Drip Global’s tracking domain dripemail2.com.

Clicking the link leads through Drip’s domain to a fake Microsoft Security page. Embedded Base64-encoded parameters hide further redirections to credential-harvesting login forms.

creenshot of the first phishing URL redirection.
creenshot of the first phishing URL redirection.

Uniquely, at the time of discovery only Trustwave’s scanning detected these malicious redirects in VirusTotal, underscoring PageML’s value in early threat identification.

According to Report, Trustwave SpiderLabs remains committed to refining detection capabilities and sharing actionable intelligence to stay one step ahead of these deceptive threats.

Cloud Infrastructure Co-Option

Amazon S3 Redirections

Beyond email marketing platforms, threat actors have turned to cloud hosting services to serve phishing pages.

The Reply-To header also contains a different email address not related to the company.

In one campaign, malicious emails purporting to be payment remittances include image attachments linked to *.s3.us-east-1.amazonaws.com.

These S3-hosted pages mimic Roundcube Webmail login forms, complete with embedded Cloudflare Turnstile challenges and AJAX-based credential capture.

Screenshot of the phishing URL that mimics a Roundcube Webmail log-in page.
Screenshot of the phishing URL that mimics a Roundcube Webmail log-in page.

Such abuse of Amazon Web Services not only lends credibility to the scam but also complicates takedown efforts.

Compromised Domains Combined with CAPTCHA

Attackers also continue compromising legitimate corporate domains. For instance, airswift.ae, a genuine freight-services site, was found hosting a “Secure Document” phishing page.

Visitors are first presented with a Cloudflare CAPTCHA before being forwarded to a fully obfuscated, fake Microsoft sign-in page.

By interspersing benign content, CAPTCHA challenges, and layered redirects, adversaries further delay detection and freeze automated analysis.

These campaigns illustrate a clear shift in phishing strategies:

  • Use of trusted platforms: By hijacking email-marketing and cloud-hosting services, attackers piggyback on domains with solid reputations and broad deliverability.
  • Multi-stage redirections: Embedding layered URL redirects obfuscates final destinations and hinders static detection.
  • Dynamic content injection: Chameleon-style scripts tailor phishing pages with victim-specific logos and disable typical browser interactions.
  • Evasion via CAPTCHA: Cloudflare Turnstile and similar services are abused to interpose human-verification steps that stall automated scanners.

Organizations can mitigate these growing threats by adopting a multi-layered approach:

  1. Advanced URL analysis: Deploy real-time, behavioral URL-scanning systems like PageML that inspect both redirection chains and page content.
  2. Email platform monitoring: Track unexpected increases in outbound links using third-party marketing domains and apply strict allow-lists.
  3. User awareness training: Educate employees on evolving phishing lures, especially those masquerading as familiar services.
  4. Cloud service scrutiny: Monitor organizational traffic to common cloud-hosting endpoints for unusual patterns or redirects.

As phishing campaigns grow ever more sophisticated, combining old tricks—such as compromised domains—with novel evasion tactics, organizations must continuously adapt.

Trustwave SpiderLabs remains committed to refining detection capabilities and sharing actionable intelligence to stay one step ahead of these deceptive threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.


Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.