Keypoints
- Phishing campaign impersonates IT support and Mimecast to request password resets using a recently created spoof domain (realfruitpowernepal[.]com).
- Email lacks personalization (no “Dear…”), indicating a mass-mailing script was likely used.
- Hovering over the “Continue” button shows a Mimecast reference and the recipient’s email in the URL, lending apparent legitimacy.
- Clicking the link routes the user through a Mimecast-styled security portal where either choice leads to the same counterfeit landing page.
- Phishing landing page (hXXps://hiudgntxrg[.]web[.]app/#) imitates Mimecast but uses a non-Mimecast URL and missing footer details; credential submission returns a “successful login” page to reduce suspicion.
- IOCs observed include spoof domains/URLs and IP addresses: realfruitpowernepal[.]com, hXXps://hiudgntxrg[.]web[.]app/#, 162[.]0[.]217[.]31, 199[.]36[.]158[.]100.
MITRE Techniques
- [T1566.001] Phishing: Link – Attack uses IT-support-themed emails with a link to a spoofed workflow to harvest credentials (‘The Cofense Phishing Defense Center (PDC) has intercepted a new phishing technique that uses information technology (IT) support-themed emails to get users to enter their old password.’)
- [T1204.001] User Execution: Malicious Link – The campaign relies on users clicking the embedded link and interacting with a staged security portal (‘When the recipient hovers over the “Continue” button, a Mimecast reference appears…’; ‘Clicking on either “It’s Safe” or “It’s Harmful” led to the same result’)
- [T1078] Valid Accounts – Collected credentials are accepted and the user is shown a successful login page to simulate legitimacy (‘Whether the user provided their true login credentials or a random string of credentials, they would be automatically redirected to the page within Figure 5 displaying a successful login message.’)
Indicators of Compromise
- [Domain] Spoof/impersonation domain – realfruitpowernepal[.]com (used to impersonate internal IT; hosted via a free web design platform)
- [URL] Phishing landing pages – hXXps://hiudgntxrg[.]web[.]app/# (primary phishing page), hXXp://aznyibe[.]creedidory[.]com/# (related redirect)
- [IP address] Observed infrastructure – 162[.]0[.]217[.]31, 199[.]36[.]158[.]100
The phishing sequence begins with an IT-support-style email that omits personalization—consistent with bulk scripted delivery—and uses a newly registered impersonation domain (realfruitpowernepal[.]com) which resolves to a free web design host. The embedded “Continue” link displays a Mimecast reference and the recipient’s email in the hover URL; clicking it loads a Mimecast-styled security portal where both “It’s Safe” and “It’s Harmful” choices funnel victims to the same next page.
The next stage is a counterfeit Mimecast login flow hosted on a non-Mimecast URL (hXXps://hiudgntxrg[.]web[.]app/#). That landing page intentionally shows a session-expired state and lacks authentic Mimecast footer details; after the user submits credentials (or any random string), the site presents a successful-login confirmation to reinforce legitimacy and end the interaction without error messages. Observed IOCs tied to this campaign include the spoof domains/URLs and the IPs listed above, which defenders can use to block, monitor, or investigate related traffic.
Read more: https://cofense.com/blog/it-support-mimecast-phish/