Key Alert:
A newly identified phishing-as-a-service (PhaaS) platform, dubbed Morphing Meerkat, is using DNS over HTTPS (DoH) and MX record abuse to dynamically generate spoofed login pages for over 114 brands. This operation, active since at least 2020, has largely evaded detection and presents a growing threat to sectors including healthcare. The abuse of DNS MX records, combined with encrypted DNS queries via DoH, significantly complicates traditional detection mechanisms.
Threat Overview:
Morphing Meerkat is a sophisticated phishing platform sold as a service to threat actors. It lowers the barrier to entry for phishing attacks and includes a range of evasive and dynamic features.
Key aspects include:
- Dynamic Spoofing via DNS MX Records: The PhaaS platform uses DNS mail exchange (MX) records to identify the victim’s email provider. It then dynamically generates realistic spoofed login pages for over 114 brands, including Gmail, Outlook, Yahoo, DHL, Maersk, and RakBank.
- Multilingual Targeting: Phishing messages are crafted in multiple languages including English, Spanish, Russian, and Chinese, enabling broader geographic targeting.
- Encrypted DNS with DoH: DNS over HTTPS is leveraged to hide DNS queries in encrypted HTTPS traffic, bypassing traditional DNS logging and monitoring tools.
- Centralized Infrastructure: Phishing emails are distributed via centralized SMTP servers, with infrastructure traced back to providers like iomart (UK) and HostPapa (US).
Current Threat Landscape:
Morphing Meerkat has been active since at least 2020, and despite its long-standing presence, has only recently gained attention due to its increasingly sophisticated evasion tactics. The use of DoH for encrypted DNS lookups and MX record abuse for tailored phishing content highlights the innovation within the PhaaS space and the need for updated defenses. Its ability to mimic real-world login experiences makes detection especially difficult for both users and automated defenses.
Healthcare Impacts:
The healthcare industry is an attractive target due to its reliance on third-party communication platforms, sensitive patient data, and decentralized networks. Potential impacts include:
- Compromised Patient Portals: Spoofed login pages for healthcare-related accounts may lead to unauthorized access to patient data and medical records.
- Targeted Credential Harvesting: Healthcare employees may be tricked into revealing login credentials, giving attackers access to internal systems or sensitive data.
- Communication Platform Disruption: Phishing attacks targeting staff emails may disrupt workflows and delay care coordination, especially in telehealth settings.
Exploitation Method:
Attackers send phishing emails crafted to match the victim’s language and regional settings. Upon clicking the embedded link, the target is redirected to a spoofed login page that mimics their actual email provider. The phishing site is dynamically selected based on a lookup of the victim’s MX record.
DNS queries to fetch MX record information and resolve malicious domains are routed via DNS over HTTPS, allowing attackers to hide their activity within encrypted traffic and evade DNS monitoring tools.
Affected Products and Versions:
While Morphing Meerkat is not tied to a specific software product, the following are commonly impersonated and may be targets in phishing campaigns:
- Google Workspace
- Microsoft 365 (Outlook/Exchange Online)
- Yahoo Small Business Email / Verizon Business Email
- DHL
- Maersk
- RakBank
Any cloud-based login system, especially for services with widespread adoption in healthcare or finance, is at risk of being spoofed.
Indicators of Compromise (IoCs):
- Suspicious Email Patterns: Emails requesting urgent account verification or login, often including typos or unusual sender domains.
- Encrypted DNS Requests (DoH): DNS lookups hidden in HTTPS traffic, especially to domains related to known MX record lookups.
- Unusual Logins: Authentication attempts from unexpected IP addresses or geolocations.
- Login Portal Spoofing: External links closely mimicking the branding of major service providers.
NOTE: Full list of IoCs are provided below in link to GitHub repository.
Tactics, Techniques, and Procedures (TTPs):
| Tactics | Techniques |
|---|---|
| Initial Access | External Remote Services (T1566) |
| Defense Evasion | Encrypted DNS (T1573.002) |
| Credential Access | Input Capture (T1056) |
Recommendations for Healthcare Organizations:
Immediate Actions:
- Enhance Email Filtering: Update email filters and anti-phishing rules to detect common indicators associated with Morphing Meerkat campaigns.
- Brand and Domain Monitoring: Monitor for spoofed login portals and cloned domains targeting your organization or partners.
- Email Authentication Enforcement: Strictly enforce SPF, DKIM, and DMARC to reduce spoofed email legitimacy.
- Simulated Phishing Training: Conduct real-world phishing simulations and provide scenario-based training to improve resilience against social engineering.
Long-Term Defense:
- Zero Trust Architecture: Minimize lateral movement and ensure continuous authentication even post-login.
- DNS over HTTPS Monitoring: Since DNS over HTTPS bypasses traditional DNS logging, use web gateways and DNS-layer tools that analyze encrypted traffic through Server Name Indication inspection, Transport Layer Security fingerprinting, and endpoint activity monitoring to detect suspicious DNS behavior and phishing infrastructure.
- Collaborate with ISPs and DNS Providers: Work with upstream providers to identify, block, and sinkhole malicious DoH endpoints.
Leadership Guidance:
Healthcare executives must recognize that phishing has evolved beyond basic email scams. Sophisticated PhaaS platforms like Morphing Meerkat exploit both technical and human vulnerabilities. Investments should prioritize staff education, threat detection capabilities, and strategic collaboration with DNS and cloud service providers to stay ahead of increasingly evasive phishing tactics.
Blackwell Security MHXDR Customers:
Blackwell Security continuously monitors for phishing campaigns, DNS anomalies, and suspicious infrastructure. Blackwell has integrated threat intelligence indicators of compromise to identify activities associated with Morphing Meerkat. By reporting suspected phishing attempts, Blackwell’s automated and manual analysis quickly identifies malicious emails, helping to maintain seamless operations.
References:
- BleepingComputer: PhaaS Operation Uses DNS-over-HTTPS for Evasion
- SC Media: Morphing Meerkat Spoofs 114 Brands
- Infoblox: A Phishing Tale of DoH and DNS MX Abuse
- Infoblox Threat Intelligence Indicators of Compromise (Morphing Meerkat)
Blackwell is cybersecurity made for healthcare.
Our comprehensive security platform and expert managed services provide the most complete protection for healthcare organizations. Leading providers across North America trust Blackwell to reduce cyber risk, stay compliant, and build trusted experiences across the care continuum.
© 2025 Blackwell Security | Privacy Policy | Sitemap