Attackers are sending spoofed “Email Delivery” notifications that redirect through cbssports[.]com to a phishing site on mdbgo[.]io which harvests credentials via an obfuscated site and a websocket for instant exfiltration and possible 2FA prompts. Unit42 alerted to similar campaigns; this variant includes base64-encoded spoofed addresses in links and personalized fake login screens—blocked by Malwarebytes. #mdbgo.io #cbssports.com
Keypoints
- Attack emails impersonate internal spam-filter or secure-message notices claiming pending messages after a “Secure Message” upgrade to lure clicks.
- Both the “Move to Inbox” button and the unsubscribe link redirect via cbssports[.]com to a phishing domain mdbgo[.]io, which Malwarebytes blocked.
- Links include the spoofed recipient address encoded in base64 so the phishing page pre-fills the target’s domain to appear personalized and legitimate.
- The phishing site’s code is heavily obfuscated and uses a websocket to immediately harvest credentials and prompt for additional data like 2FA codes.
- Immediate risks include account takeover, access to cloud storage, password resets across services, and account impersonation.
- Recommended defenses: verify sender addresses, check browser URLs before signing in, use MFA and a password manager, keep software updated, and use web-protection security tools.
- Malwarebytes Browser Guard and Malwarebytes protections can block these phishing pages and redirects.
MITRE Techniques
- [T1566] Phishing – Email messages spoofing internal “Secure Message” or spam-filter notifications to trick users into clicking links: “…Email Delivery Reports: Incoming Pending Messages… Move To Inbox (button)”
- [T1204] User Execution – Victims are enticed to interact with a “Move to Inbox” button or unsubscribe link which triggers the redirect: “…Both the ‘Move to Inbox’ button and the unsubscribe link abuse a cbssports[.]com redirect…”
- [T1176] Browser Extensions – Use of web-protection (e.g., Malwarebytes Browser Guard) is mentioned as effective mitigation against the phishing page: “…The free Malwarebytes Browser Guard extension would have stopped this attack as well…”
- [T1606] Obfuscated Files or Information – Phishing site’s code is heavily obfuscated to hinder analysis: “…the phishing site’s code is heavily obfuscated…”
- [T1105] Ingress Tool Transfer – Redirects via cbssports[.]com to host content on mdbgo[.]io to deliver the phishing page: “…redirect to reach the real phishing site located on the domain mdbgo[.]io…”
- [T1056] Input Capture – Use of a websocket to capture credentials instantly as the user types and to request additional authentication info: “…credentials are harvested through a websocket… This lets the browser and server send messages instantly… attackers could instantly take control…”
Indicators of Compromise
- [Domain] phishing redirect and hosting – cbssports[.]com (used as redirect), mdbgo[.]io (phishing site)
- [Subdomains/hosts] additional suspicious hosts seen – several subdomains of mdbgo[.]io, xxx-three-theta.vercel[.]app
- [Domain] likely malicious infrastructure – client1.inftrimool[.]xyz, psee[.]io
- [Worker/Cloud host] obfuscated worker domains used to host content – veluntra-technology-productivity-boost-cold-pine-8f29.ellenplum9.workers[.]dev
- [Domain] other suspicious domains observed – lotusbridge.ru[.]com, shain-log4rtf.surge[.]sh