A sophisticated phishing attack targeting security researcher Troy Hunt on March 25, 2025, successfully compromised his Mailchimp account. The attack was reportedly linked to the group Scattered Spider, employing methods such as social engineering and DNS pivoting to uncover related domains. Troy’s openness in sharing the attack details highlights critical insights into protecting sensitive information against similar threats. Affected: Troy Hunt, Mailchimp, Scattered Spider
Keypoints :
- Troy Hunt, a security researcher, was targeted in a phishing attack that led to the compromise of his Mailchimp account.
- The attack was linked to the group known as Scattered Spider, also referred to as 0ktapus.
- The phishing domain, mailchimp-sso[.]com, was used to create urgency and mislead victims.
- Validin’s tools were utilized to track DNS history and identify over 200 related domains.
- The investigation involved examining domain registration details and host response data.
- Unauthorized access to Hunt’s Mailchimp account allowed attackers to export his mailing list.
- The tactics, techniques, and procedures (TTPs) used are consistent with past activities of Scattered Spider.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: The attackers used legitimate services like Cloudflare to disguise their activities.
- T1098 – Account Manipulation: Attackers created an API key using Troy Hunt’s credentials to access and export his mailing list.
- T1071 – Application Layer Protocol: Utilization of HTTP/HTTPS protocols to handle communication was noted.
Indicator of Compromise :
- [Domain] mailchimp-sso[.]com
- [IP Address] 159.100.6[.]244
- [IP Address] 176.65.141[.]197
- [IP Address] 159.100.20[.]154
- [IP Address] 31.172.83[.]147
Full Story: https://www.validin.com/blog/pulling_threads_on_phishing_campaign/