Phishing Spam Filter Alerts Steal Logins via Websockets

Phishing emails disguised as internal spam filter alerts are stealing logins by redirecting victims to a credential-harvesting site over websockets, according to Malwarebytes researchers. The campaign spoofs "Email Delivery Reports" from a Secure Message system and claims pending messages must be moved to the inbox, luring users to click a "Move to Inbox" button that abuses a cbssports[.]com redirect before landing on a phishing domain hosted on mdbgo[.]io. There, a fake single sign-on portal pre-populates the victim’s domain to increase credibility and captures credentials in real time, mapping to MITRE ATT&CK techniques T1566 (Phishing) and T1078 (Valid Accounts) as attackers weaponize stolen logins for downstream account takeover and data theft. Malwarebytes notes the phishing site’s code is heavily obfuscated, highlighting a more advanced, evolving phishing campaign rather than commodity spam. The attack flow uses a websocket connection between the victim’s browser and the phishing backend, functioning like a persistent two-way channel that never “hangs up.” As users type credentials into the spoofed portal, the websocket immediately streams usernames, passwords, and any requested two-factor authentication codes to the operator, enabling rapid account compromise even against MFA-protected accounts. Both the primary call-to-action button and the unsubscribe link are weaponized, funneling traffic through redirects to evade basic URL filtering and make the spam filter alert scam appear legitimate. This approach represents a shift toward more interactive, real-time phishing infrastructure that can prompt victims for additional data on the fly, making traditional static phishing detections less effective. For organizations, the business impact extends beyond a single mailbox compromise, since stolen credentials can unlock email, cloud storage, collaboration tools, and other SaaS platforms tied to the same identity. Attackers can pivot into business email compromise, invoice fraud, or data exfiltration without deploying malware, sidestepping many endpoint protections. Compliance exposure is significant when compromised accounts provide access to regulated data subject to GDPR, HIPAA, or PCI-DSS, as it can be difficult to quickly determine the scope of access after successful credential theft. Mitigation guidance from Malwarebytes emphasizes user awareness and layered technical controls rather than relying solely on spam filters. Defenders should educate users to distrust urgent “spam quarantine” or “secure message” alerts, verify sender domains, and always check the browser address bar before entering credentials, especially for webmail and cloud portals. Enforcing multi-factor authentication, using password managers that refuse to autofill on lookalike domains, and deploying web protection capable of blocking phishing domains such as mdbgo[.]io and related infrastructure can significantly reduce risk. Security teams should also monitor for anomalous logins, impossible travel, and suspicious OAuth grants tied to accounts that may have interacted with email delivery report phishing messages.