A phishing campaign is impersonating internal spam-filter notifications to trick users into entering their email credentials.
According to Cyber Security News, researchers have identified a phishing operation that sends emails posing as legitimate spam-filter alerts from within the victim’s own organisation. The messages claim that a Secure Message system upgrade has caused several emails to be held back, urging users to click a “Move to Inbox” button to retrieve them. Both the button and an embedded unsubscribe link redirect through a compromised CBSSports domain before sending victims to a phishing page on MDBGo, where a fake login form captures credentials.
The emails are crafted to appear routine, displaying generic delivery reports and system notifications. Attackers encode the recipient’s email address in base64 within the URL, allowing the phishing page to automatically display the user’s domain, which enhances credibility. Security researchers have observed the campaign shifting tactics as detection improves, using code obfuscation and new redirect paths to avoid automated security tools. The phishing page mimics standard email login workflows, encouraging users to believe they are interacting with an internal system, even though the page is hosted externally on attacker-controlled infrastructure.
According to analysts tracking the campaign, the attackers have integrated advanced harvesting techniques that go beyond simple form submissions. Researchers also noted that the fake login page is heavily obfuscated and capable of adjusting its behaviour dynamically to reduce detection. Threat analysts also reported that the campaign escalated following initial warnings. The attackers’ focus on personalization and familiar corporate messaging makes the phishing emails difficult for users to identify without careful inspection.
Attackers are leaning on alerts that look like routine internal messages because users rarely question them, and most traditional filters don’t flag notifications that mimic corporate systems. The use of WebSocket-based harvesting gives threat actors real-time access to credentials, which means even MFA can be defeated before a user knows anything is wrong. With campaigns shifting redirect paths and obfuscation patterns to stay ahead of static filtering, organizations need protection that can assess intent rather than just scan for known indicators.
Since phishing drives most successful compromises, especially in cloud email environments, relying on legacy filtering isn’t enough. Paubox Inbound Email Security adds behavioural analysis that can detect abnormal login-flow impersonation, redirect chains, and suspicious internal-style alerts before they reach staff. It gives healthcare and enterprise organizations a way to catch these credential-harvesting attempts even when the emails look familiar, and the attack happens in real time.
Internal notifications appear routine and trustworthy, increasing the likelihood that users will click without questioning the source or checking the URL.
Attackers encode the email address in the URL so the fake login page can display the correct domain, creating a more convincing impersonation.
A WebSocket creates a live, two-way connection between the browser and the attacker’s server, allowing credentials to be captured as soon as they are typed rather than after submission.