← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Phishing Kits Uncovered: Methods and Tactics Used to Evade SEGs, Sandboxes, and Analysts.
Threat actors have adopted increasingly sophisticated tactics to evade detection in email phishing campaigns, employing various methods to disguise malware and credential phishing links. A prevalent technique involves embedding customized content in emails, utilizing legitimate file-sharing platforms, abusing open redirects, and incorporating QR codes to lead victims to phishing pages without drawing attention.
To evade scrutiny, these actors often leverage legitimate web services to host links to their malicious content instead of hosting malware directly. They typically embed these links into recognized sites like DocuSign, Google Docs, and Canva, as such sites can bypass detection by security email gateways (SEGs) that focus on reputable domains. Additionally, they commonly use open redirects from well-known platforms like Google and YouTube, which do not scan the final redirect URLs, further obscuring their phishing attempts.
Indicators of Compromise (13)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| domain | trycloudflare.com | — | 2025-08-29 | |
| FileHash-MD5 | c76b55d7b18c4d2c9888b98bb5e977d1 | — | 2025-08-29 | |
| hostname | hardcover-recognized-real-collective.trycloudflare.com | — | 2025-08-29 | |
| domain | workers.dev | — | 2025-08-29 | |
| hostname | blob.core.windows.net | — | 2025-08-29 | |
| domain | netlify.app | — | 2025-08-29 | |
| domain | r2.dev | — | 2025-08-29 | |
| hostname | pub-c76b55d7b18c4d2c9888b98bb5e977d1.r2.dev | — | 2025-08-29 | |
| hostname | 67d430dcca6bc236023002a9.netlify.app | — | 2025-08-29 | |
| hostname | projectdesignarchitectsd.blob.core.windows.net | — | 2025-08-29 | |
| hostname | sun-shine.pages.dev | — | 2025-08-29 | |
| hostname | chalk-azure-primula.glitch.me | — | 2025-08-29 | |
| hostname | c1ient-indrctd1oadinn.distribute-employees-bonuses.workers.dev | — | 2025-08-29 |