Red Bull-Themed Phishing Attacks Steal Job Seekers Login Credentials

A new wave of phishing emails promising a “Social Media Manager” position at Red Bull has surfaced in corporate and personal inboxes worldwide.

Disguised as personalized invitations, the messages originate from [email protected] and sail through SPF, DKIM and DMARC checks, giving traditional filters little reason to distrust them.

Their lure capitalizes on pandemic-driven remote-work appetites and the energy-drink giant’s strong brand recognition.

Recipients who click the embedded link are funnelled to a reCAPTCHA gate and then to a polished Glassdoor-style vacancy page.

Evalian analysts noted that, while the façade looks benign, the domain redbull-social-media-manager.apply-to-get-hired.com is barely weeks old and resolves to a VPS in AS-63023, a network notorious for short-lived malicious infrastructure.

After the faux job description, victims are redirected to a counterfeit Facebook login where credentials are siphoned via a POST to /login_job on 38.114.120.167.

Those credentials never reach Facebook; instead they disappear into a backend that often returns a 504 Gateway Timeout, a stalling manoeuvre that frustrates sandboxes and masks successful exfiltration.

Evalian researchers identified the same TLS JARM fingerprint across sibling domains spoofing MrBeast and Meta, proving the campaign is a rentable kit rather than a lone one-off.

Detection evasion is where the operation truly shines. The attackers abuse Mailgun’s high-reputation IP pool, letting them inherit Xero’s trust halo while hiding the real reply-to address [email protected].

They automate Let’s Encrypt issuance so every host presents a fresh, valid certificate, erasing typical “self-signed” red flags. Even the reCAPTCHA isn’t for the user; it throttles URL-scanning bots long enough to drop them.

where mail.sender_domain=="post.xero.com"
  and mail.reply_to matches ".*user0212-stripe.com"
  and url.domain endswith("apply-to-get-hired.com")
  and network.jarm=="27d40d40d00040d00042d43d000000d2e61cae37a985f75ecafb81b33ca523"

The Kusto-style query above, adapted from Evalian’s SOC rules, triangulates sender reputation, anomalous reply-to domains, malicious top-level infrastructure and the shared JARM signature, delivering high-fidelity alerts without drowning analysts in noise.

While job hunters remain the prime targets, organizations should block the listed IOCs, monitor outbound traffic for 38.114.120.167, and teach users that even emails passing every authentication test may still be a wolf in well-forged clothing.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now