Threat Research

Xiaomi Phishing Attempt – Red Flags You Can’t Afford to Ignore

Cofense
Xiaomi Phishing Attempt – Red Flags You Can’t Afford to Ignore
Cofense PDC uncovered a phishing campaign targeting Xiaomi users that uses convincing emails impersonating Xiaomi HR/IT to direct victims to a counterfeit Mi Account login page. When victims enter credentials on the fake page hosted at amolikhousing.co[.]in (observed infection URL and IP 43.225.54.162), those credentials are captured and may provide attackers unauthorized access. #Xiaomi #Cofense

Keypoints

  • Threat actors sent convincing emails impersonating Xiaomi (HR/IT/account services) to create urgency and prompt clicks on a masked hyperlink.
  • The malicious link redirects to a highly convincing counterfeit Xiaomi “Mi Account” login page that closely mimics the legitimate portal.
  • When users enter credentials on the fake login page, those credentials are captured and can provide unauthorized access to sensitive data and internal systems.
  • Observed IOCs include the infection URL hxxps://www[.]amolikhousing[.]co[.]in/XIAOMI/ and IP 43.225.54.162, as well as the sender backing@ocode[.]or[.]tz.
  • Cofense emphasizes that such attacks rely on brand impersonation and human trust rather than malware, reducing the effectiveness of basic email filtering alone.
  • Cofense Managed Phishing Defense Services combine human analyst review and threat intelligence with detection technology to validate, respond to, and contain these phishing attacks.

MITRE Techniques

  • [T1566 ] Phishing – Attackers used email impersonation to deliver the malicious link and lure recipients into a credential-harvesting page (‘threat actors often exploit the company’s popularity by crafting phishing emails that appear to come from trusted Xiaomi sources’).
  • [T1566.002 ] Spearphishing Link – The email contained a masked hyperlink that redirected victims to a counterfeit login page hosting the credential capture form (‘the masked hyperlink containing the malicious URL “hxxps[://]www[.]amolikhousing[.]co[.]in/XIAOMI/”‘).
  • [T1036 ] Masquerading – The campaign imitated Xiaomi branding, layout, and corporate language to appear legitimate and reduce suspicion (‘makes the email appear legitimate by imitating official corporate communications’ and the phishing page replicated Xiaomi UI elements).
  • [T1204.002 ] User Execution: Malicious Link – Social engineering created urgency to encourage users to click the link before verifying it (‘creating urgency by stating access will expire within 24 hours’ and ‘encouraging recipients to click on malicious links before they have time to verify the message’).
  • [T1078 ] Valid Accounts – Captured credentials from the phishing page could be used as valid account credentials to gain unauthorized access to sensitive data and internal systems (‘Once users enter their credentials…the information is captured by the attackers, potentially giving them unauthorized access to sensitive data and internal systems’).

Indicators of Compromise

  • [Infection URL ] Phishing landing page – hxxps://www[.]amolikhousing[.]co[.]in/XIAOMI/
  • [IP Address ] Host associated with the phishing page – 43.225.54.162
  • [Email Address ] Observed sender used to deliver phishing email – backing@ocode[.]or[.]tz
  • [Domain ] Domain hosting the counterfeit portal – amolikhousing[.]co[.]in

Read more: https://cofense.com/blog/xiaomi-phishing-attempt-red-flags-you-can-t-afford-to-ignore