Between April and May 2025, threat actors launched a multi-wave phishing campaign by exploiting the trusted infrastructure of Nifty[.]com, a major Japanese ISP.
Instead of spoofing domains, they registered free consumer accounts and sent phishing emails through Nifty’s own mail servers—such as mta-snd-e0X.mail.nifty[.]com—using IP ranges like 106.153.226.0/24 and 106.153.227.0/24.
Discovered by Raven, a leading threat detection firm, the campaign bypassed traditional email defenses by passing SPF, DKIM, and DMARC checks. This allowed the emails to evade most secure email gateways (SEGs), which rely heavily on broken authentication or known bad domains to detect threats.
The operation unfolded in several waves, starting on April 28 with lures themed around an “Execution Agreement,” followed by waves on May 7 and May 16 using “SAFE Agreement” themes. A spike in activity occurred on May 23, when dozens of emails were sent in under a minute—indicating automation and likely phishing kit usage.
Instead of links, emails carried attachments like PDFs and HTML files (e.g., SAFE_Terms_May2025.pdf, Execution_Agreement.html) that triggered redirect chains via legitimate tracking tools, ultimately leading to phishing sites hosted on obfuscated domains such as 2vf78gnafutdc5zqmhng[.]iqmwpx[.]ru.
These sites were designed to steal credentials and hijack Gmail sessions through token theft.
Adaptive Attack Waves Exploit Trust and Evasion Tactics
The phishing campaign leveraging Nifty[.]com didn’t rely on crude techniques—it evolved with each wave, making detection increasingly difficult. Attackers used advanced evasion methods such as HTML padding with whitespace characters, multipart MIME structures to conceal payloads, and display name spoofing like “Name via DocuSign.”
The emails also featured AI-generated content with near-perfect grammar, allowing them to slip past conventional security filters.
Raven, the threat detection firm that uncovered this campaign, flagged it through behavioral anomalies—unusual sender-recipient patterns, repeated contract-themed lures, consistent attachment naming, and redirect chains leading to suspicious domains.
These indicators helped detect threats that otherwise looked legitimate on the surface.
This medium-to-high sophistication attack highlights a major blind spot in traditional email security systems. With valid SPF, DKIM, and DMARC, and no malicious links in the message body, most secure email gateways failed to flag these emails as threats.
The use of authenticated infrastructure, coupled with adaptive and stealthy delivery techniques, reflects a growing trend: phishing actors are embedding themselves within trusted environments to boost success rates.
Raven’s ability to detect this campaign—even with clean headers and valid authentication—proves the importance of advanced detection methods. Organizations must move beyond outdated filters and adopt tools that analyze behavior, content context, and hidden redirection techniques.
To stay ahead, email defenses must evolve to detect not just what’s obviously malicious, but what subtly blends in.
Leave A Comment