TL;DR
- Security researchers at Infoblox discovered a phishing-as-a-service platform called "Morphing Meerkat" that has been operating since at least 2020 and spoofs 114 different email brands.
- Its novel trick: it looks up your company's DNS records to figure out which email provider you use, then automatically shows you a fake login page for that exact provider — making it far more convincing than typical phishing.
- Standard email security gateways don't catch it because the phishing links route through legitimate ad networks (including Google's).
- The defence is hardware-based MFA (FIDO2/passkeys) — the one thing that stops this attack cold regardless of how convincing the fake page looks.
A Phishing Kit That Knows More About You Than You'd Expect
Most phishing attacks are blunt instruments. An attacker sends a mass email with a fake Microsoft login page and hopes some of the recipients actually use Microsoft. The rest see a login page for the wrong service and ignore it.
Morphing Meerkat eliminates that friction. When you click a Morphing Meerkat phishing link, it queri
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →This is not theoretical. Infoblox's Threat Intelligence team, which published the research, confirmed the platform has been active since at least 2020, has targeted over 50,000 identified victims across more than 50 countries, and supports phishing pages in more than ten languages [1][2]. The operational scale and technical sophistication place it firmly in the top tier of phishing threats for 2025 and 2026.
Related: TikTok Business Accounts Under Attack: How AitM Phishing Bypasses MFA
How Morphing Meerkat Works: Step by Step
Understanding the technical mechanism is critical to understanding why standard defences fail and why specific countermeasures work.
Step 1: Phishing email delivery. The victim receives a phishing email. These emails are designed to appear as legitimate notifications — document sharing alerts, invoice notifications, security warnings. The content is largely irrelevant because the email is just a delivery mechanism [1][2].
Step 2: Redirect chain through legitimate infrastructure. The malicious link doesn't go directly to the phishing site. Instead, it routes through open redirects on legitimate advertising platforms — confirmed by Infoblox to include Google's DoubleClick ad network [1]. This means the URL in the email passes the link-checking rules of most Secure Email Gateways (SEGs). The SEG checks the link, sees a Google domain, and lets it through.
Step 3: DNS MX record lookup. Once the victim's browser reaches the phishing kit's landing page, the kit queries the victim's email domain's MX records using DNS-over-HTTPS (DoH) through Cloudflare's resolver (1.1.1.1) or Google's resolver (8.8.8.8) [1][3]. These are legitimate, trusted DNS resolvers — using them makes the query invisible to network-based security monitoring tools that might otherwise flag a suspicious DNS lookup.
Step 4: Dynamic page rendering. The MX record response tells the phishing kit which email provider the victim uses. The kit then loads the corresponding fake login page from its library of 114 brand templates. The victim sees a login page that is visually identical to their actual email provider — the right logo, the right colour scheme, the right layout. If the MX record is unrecognised, the kit defaults to a generic email login template rather than showing an error [1][2].
Step 5: Credential exfiltration. When the victim types their email address and password, the credentials are transmitted in real time to the attacker via Telegram bots or PHP-based email exfiltration [1]. The victim is typically redirected to the legitimate login page afterward to reduce suspicion.
Why Your Current Email Security Might Not Stop This
The Morphing Meerkat platform is specifically engineered to defeat the most common email security controls. This is worth understanding because many SMBs invest in email security and reasonably expect it to catch phishing attacks.
Secure Email Gateways (SEGs) check URLs at delivery time. When the email arrives, the SEG checks the link and sees a legitimate-looking domain (a Google ad redirect URL, for instance) and approves it. The actual phishing content is only rendered later, after the victim clicks. Time-of-click URL rewriting helps but is not universal, and the redirect chain adds complexity [1][4].
Anti-phishing signatures look for known malicious domains. Morphing Meerkat uses thousands of compromised legitimate websites as delivery infrastructure [1]. These are real domains with real histories — not new suspicious registrations that signature-based tools flag easily. The phishing kit is installed on hacked legitimate sites, making domain reputation analysis unreliable.
JavaScript obfuscation defeats automated analysis. The phishing kit uses heavily obfuscated JavaScript specifically designed to block security tool analysis [1]. Automated sandboxes that attempt to inspect the page code see scrambled, unreadable code rather than clear evidence of credential harvesting.
Network monitoring doesn't see the DNS query. The MX record lookup goes through Cloudflare or Google's DoH resolver over HTTPS. From a network monitoring perspective, this traffic looks identical to normal DNS resolution for any website visit. There is no anomalous DNS pattern to flag [1][3].
The net result: a well-funded attacker using Morphing Meerkat can bypass email gateway filtering, URL rewriting, domain reputation analysis, network monitoring, and automated malware analysis simultaneously. Standard layered security works less well against a tool that was explicitly designed to defeat each layer.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →The Scale of the Problem: Who Is Actually Behind This
Morphing Meerkat operates as Phishing-as-a-Service (PhaaS). This means it's not a single attacker — it's a criminal platform that any low-skill operator can license and use. According to Infoblox's research, the platform is distributed through Telegram channels [1][5].
PhaaS economics are comparable to legitimate SaaS businesses: operators pay a subscription fee (typically a few hundred dollars per month), receive access to a ready-to-use phishing infrastructure with 114 brand templates, and get stolen credentials delivered directly to their Telegram inbox or email. The technical barrier to run a sophisticated phishing campaign against a specific SMB is now essentially zero.
The brands spoofed include every major email provider — Gmail, Microsoft Outlook, Yahoo Mail, AOL — plus enterprise-oriented brands like LinkedIn, shipping services, and regional email providers serving specific markets. The geographic targeting is global, with confirmed victims in North America, Europe, Asia-Pacific, and the Middle East [1].
From a threat actor economics perspective: the cost of running a Morphing Meerkat campaign is low, the success rate is high (because the spoofed page matches the victim's actual provider), and the proceeds from a single successful Business Email Compromise can pay for months of platform access. For SMBs, the typical downstream consequence of a compromised email account is either ransomware staging or direct financial fraud via CEO impersonation [6].
What Actually Stops Morphing Meerkat
The most important security control for this specific attack is hardware-based multi-factor authentication (MFA) using the FIDO2/WebAuthn standard — commonly implemented via passkeys, YubiKeys, or similar hardware tokens.
Here is why this works when everything else fails: FIDO2 authentication is cryptographically bound to the specific domain you're logging into [7]. When you use a FIDO2 key to log into mail.google.com, the key signs a challenge that includes the exact domain. If you're on a fake Google login page at a different domain, the key simply refuses to authenticate — it doesn't match. The attack fails at the final step, regardless of how convincing the fake page was.
This is different from TOTP-based MFA (the 6-digit codes). TOTP codes can be phished — an attacker can relay them in real time using a proxy. Morphing Meerkat-style attacks are actually capable of defeating TOTP MFA through adversary-in-the-middle (AitM) techniques [8]. FIDO2 cannot be defeated this way — the cryptographic binding to the legitimate domain is fundamental to how the standard works.
Practical steps for SMBs:
Enable FIDO2/passkey authentication on your email platform. Both Google Workspace and Microsoft 365 support passkeys as a login method in 2025. Enable it for all users, not just administrators [7].
If passkeys aren't immediately feasible, use hardware security keys (YubiKey or similar) for administrator accounts at minimum. These are available for $25–$50 per user and provide the same FIDO2 protection.
Configure your email platform to block legacy authentication protocols (SMTP AUTH, IMAP with basic auth). These bypass MFA entirely and are a common fallback for attackers [4].
Deploy DNS filtering that blocks access to known malicious domains. Cloudflare Gateway (free tier available) and similar tools can block phishing infrastructure at the DNS level, providing a catch-net for cases where users do click malicious links [3].
Conduct phishing simulations that include realistic PhaaS-style attacks — pages that match your actual email provider rather than obvious generic fakes. Employees who are regularly tested develop pattern recognition for these attacks [9].
Related: Why Every SMB Needs an Incident Response Plan
The Cost of Getting This Wrong
A compromised business email account is rarely just an email problem. According to the FBI's 2025 Internet Crime Report, Business Email Compromise (BEC) — which typically starts with a credential theft — caused losses of over $2.9 billion in the US alone in 2024 [6]. The average BEC loss per incident in SMBs was $125,000 [6].
For context: that's a quarter of the average SMB's annual revenue, gone in a single wire transfer that happens while the attacker controls the email account long enough to intercept a payment discussion or redirect payroll.
The investment in FIDO2 MFA across a 20-person business is approximately $500–$1,000 in hardware keys plus an afternoon of IT configuration. The ROI on a per-event-avoided basis is measurable in hundreds of thousands of dollars.
FAQ
PhaaS is a criminal business model where sophisticated phishing infrastructure is packaged and sold to anyone willing to pay a subscription fee — similar to how legitimate SaaS products work. It matters for SMBs because it dramatically lowers the technical barrier to attack. An attacker with no technical skills can purchase a Morphing Meerkat subscription, target your employees with a personalised phishing campaign, and receive your credentials in their inbox. The days when sophisticated attacks only targeted large enterprises are over.
FIDO2 protects against credential phishing — attacks designed to steal your username and password. It does not protect against all phishing types (for example, malware delivery via attachments). However, credential theft is the goal of the vast majority of phishing attacks against SMBs, including Morphing Meerkat campaigns. Implementing FIDO2 eliminates the most common and costly attack outcome from this threat category.
A Mail Exchange (MX) record is a publicly accessible DNS record that tells the internet which mail server handles email for a domain. Every business domain has one — it's what allows other mail servers to deliver email to your accounts. Morphing Meerkat queries this record specifically because it reveals which email provider a company uses, enabling the kit to render the correct fake login page. This information is publicly available by design (email routing requires it), which is why there's no way to hide it.
Microsoft 365 is one of the most commonly spoofed platforms in Morphing Meerkat campaigns, given its enterprise market share. However, the platform targets all 114 supported brands equally based on the victim's actual MX record. The effective protection is the same regardless of provider: enable passkey/FIDO2 authentication in your Microsoft 365 tenant's security settings and require it for all user logins.
In Microsoft 365, audit sign-in logs are available in the Azure Active Directory portal — look for logins from unfamiliar IP addresses or locations, or logins that don't match your MFA records. In Google Workspace, the Admin Console shows login activity for all accounts. If you see suspicious activity or don't have visibility into your login logs, a cybersecurity assessment can establish a baseline and identify any existing compromise.
References
[1] Infoblox Threat Intelligence, "Morphing Meerkat: A New Phishing-as-a-Service Platform Using DNS Mail Exchange Records," Infoblox Blog, Mar. 27, 2025. [Online]. Available: https://www.infoblox.com/threat-intelligence/morphing-meerkat/
[2] B. Toulas, "New 'Morphing Meerkat' Phishing-as-a-Service Spoofs 114 Brands via DNS Mail Exchange Records," BleepingComputer, Mar. 27, 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/new-morphing-meerkat-phishing-as-a-service-spoofs-114-brands-via-dns-mail-exchange-records/
[3] The Hacker News, "Morphing Meerkat PhaaS Platform Uses DNS MX Records to Serve Tailored Phishing Pages," The Hacker News, Mar. 2025. [Online]. Available: https://thehackernews.com/2025/03/morphing-meerkat-phaas-platform-uses.html
[4] Help Net Security, "Morphing Meerkat phishing kit uses DNS to shape-shift into different login pages," Help Net Security, Mar. 2025. [Online]. Available: https://www.helpnetsecurity.com/2025/03/28/morphing-meerkat-phishing-kit/
[5] Dark Reading, "Morphing Meerkat PhaaS Kit Leverages DNS Technique to Evade Detection," Dark Reading, Mar. 2025. [Online]. Available: https://www.darkreading.com/threat-intelligence/morphing-meerkat-phaas-dns
[6] FBI Internet Crime Complaint Center, "2024 Internet Crime Report," IC3 / FBI, 2025. [Online]. Available: https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf
[7] FIDO Alliance, "Passkeys Overview," fidoalliance.org, 2025. [Online]. Available: https://fidoalliance.org/passkeys/
[8] Microsoft Security, "Protecting against adversary-in-the-middle (AitM) phishing," Microsoft Security Blog, 2025. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bypassing-mfa/
[9] Proofpoint, "2025 State of the Phish Report," Proofpoint, 2025. [Online]. Available: https://www.proofpoint.com/us/resources/threat-reports/state-of-phish
[10] Australian Cyber Security Centre (ACSC), "Protect Yourself: Phishing," cyber.gov.au, 2025. [Online]. Available: https://www.cyber.gov.au/protect-yourself/securing-your-accounts/phishing
Phishing attacks are getting more targeted and technically sophisticated every year. The good news: the right controls still work — but you have to implement them before the attack, not after. Book a free consultation with lilMONSTER to find out if your email security is ready for the threat landscape of 2026.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- Hackers built a phishing tool called "Morphing Meerkat" that figures out which email service your business uses and shows you a fake login page for exactly that service — not a generic fake, but one that looks identical to yours.
- It's been operating since 2020, has tricked more than 50,000 people, and can impersonate 114 different email brands.
- The one defence that actually stops it is passkeys (also called FIDO2 login) — a newer type of login that can't be tricked by fake websites.
- This post explains how the attack works and what you need to do to protect your business.
The Copycat That Reads Your Mail First
Imagine you received a suspicious letter, but before you opened it, the letter somehow checked your mail pile and figured out your bank's name. Then it changed its logo and layout to perfectly match that bank — before you even opened it. That's essentially what Morphing Meerkat does.
Security researchers at a company called Infoblox discovered it in March 2025 [1]. It's a phishing tool — software that criminals can pay to use — that makes fake login pages. But it has a trick that normal phishing tools don't: it looks up technical information about your business's internet address to figure out which email service you use. Then it shows you a fake login page for that exact service.
So if your company uses Google Workspace, you see a fake Google login. If you use Microsoft 365, you see a fake Microsoft login. If you use Yahoo Mail, you see a fake Yahoo login. There are 114 different versions it can show [1].
This matters because most phishing pages are obvious to the wrong people. A company that uses Google sees a fake Microsoft page and thinks "that's not mine, must be a mistake." Morphing Meerkat doesn't make that mistake.
How Does It Know Which Email Service You Use?
This is the clever technical bit, explained simply.
Every business that has a website or email address has something called DNS records — think of them as a public phone book entry for your business on the internet. Part of that entry (called an MX record) tells the world which company handles your email. It has to be public — otherwise other mail servers wouldn't know where to deliver your email.
Morphing Meerkat reads that public entry the moment you click its phishing link [1][2]. It takes about a tenth of a second. Then it shows you the matching fake login page. You have no idea this lookup happened.
From your perspective: you click what looks like a document sharing notification, you see a login page that looks exactly like your email login, you type your email and password, and your account is stolen. Done.
Why Doesn't Your Email Security Stop It?
This is worth understanding because a lot of businesses pay for email security tools and reasonably expect them to catch phishing.
The problem is that Morphing Meerkat was specifically designed to get past those tools [1][3]:
The link looks legitimate. The phishing link in the email doesn't go directly to a fake site — it routes through Google's own advertising network first. Email security tools check links in emails, see a Google link, and let it through.
The fake site is on a hacked real website. The fake login pages are hosted on real, legitimate websites that criminals have broken into. Security tools checking for "known bad websites" don't flag a legitimate business's website that's been compromised.
Technical analysis can't read the code. The phishing software scrambles its own code so automated security analysis tools can't understand what it's doing.
None of this means your email security is useless. It catches many threats. This particular tool was engineered to slip past it.
The One Thing That Actually Works: Passkeys
Here's the good news. There's a type of login called passkeys (also called FIDO2 login or hardware security keys) that completely stops this type of attack — regardless of how convincing the fake login page is [4].
Here's why, explained simply:
When you use a passkey to log in, your device (phone, computer, or a small physical key like a YubiKey) does a mathematical check. It confirms: "Is the address in my browser exactly mail.google.com?" If you're on a fake Google login page at a slightly different address, the math doesn't match — and the login simply doesn't work. Your passkey refuses to authenticate to the wrong site, full stop.
You can't be tricked into giving your passkey to the wrong site, because the passkey itself checks. The fake site can look 100% identical — it doesn't matter. The cryptographic verification of the website address is automatic, happens in the background, and cannot be bypassed [4].
This is fundamentally different from the 6-digit codes many people use for two-factor authentication. Those codes can be stolen in real time — you type your code on the fake page, the attacker immediately uses it on the real page. Passkeys can't be used this way [5].
Action Items: How to Protect Your Business Email
This week:
- Check if your email provider supports passkeys. Both Google Workspace and Microsoft 365 do. Search your provider's help pages for "passkeys" or "FIDO2 security key" and follow the setup guide.
- Enable passkeys for your own account first as a test. It takes about 5 minutes.
- Roll it out to staff, starting with anyone who handles money, HR, or customer data.
If passkeys feel too technical right now:
- At minimum, make sure every staff member has some form of two-factor authentication (even the code app is better than nothing for most attacks — just not this specific one).
- Book a quick consultation to have this done properly — it's faster than it sounds.
Ongoing:
- Run phishing tests with your staff at least once a quarter. The staff members who are most likely to be targeted (accounts payable, HR, senior managers) should be tested more frequently.
- If anyone thinks they've clicked a suspicious link and typed their password somewhere, treat it as a confirmed compromise and change passwords immediately from a different device.
FAQ
A passkey is a way to log in without typing a password at all. Instead, your device (using your fingerprint, face scan, or a physical security key) proves your identity directly to the website. The crucial difference: it's cryptographically tied to the exact website address. A fake login page at a slightly different address can't use your passkey — the verification fails automatically. Normal passwords have no such protection.
Yes. Both Google Workspace and Microsoft 365 have passkey support built in — there's no additional cost. For businesses that want physical security keys (YubiKeys), they cost around $25–$50 per person and last for years. Compared to the cost of a successful attack — which averages $125,000 for a small business — the investment is minimal [5].
Tell them to close the browser immediately, not to type any password, change their account password from a different device as a precaution, and report it to whoever handles IT security. If they already typed their password on the suspicious site, treat the account as compromised: change passwords, check for any unusual account activity, and contact your IT provider.
No — Morphing Meerkat supports 114 different email brands including both consumer and enterprise services. If your business uses any external email service, this attack can target you. The defence (passkeys) applies equally to all providers.
References
[1] Infoblox Threat Intelligence, "Morphing Meerkat: A New Phishing-as-a-Service Platform Using DNS Mail Exchange Records," Infoblox Blog, Mar. 27, 2025. [Online]. Available: https://www.infoblox.com/threat-intelligence/morphing-meerkat/
[2] B. Toulas, "New 'Morphing Meerkat' Phishing-as-a-Service Spoofs 114 Brands via DNS Mail Exchange Records," BleepingComputer, Mar. 27, 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/new-morphing-meerkat-phishing-as-a-service-spoofs-114-brands-via-dns-mail-exchange-records/
[3] Help Net Security, "Morphing Meerkat phishing kit uses DNS to shape-shift into different login pages," Help Net Security, Mar. 2025. [Online]. Available: https://www.helpnetsecurity.com/2025/03/28/morphing-meerkat-phishing-kit/
[4] FIDO Alliance, "Passkeys Overview," fidoalliance.org, 2025. [Online]. Available: https://fidoalliance.org/passkeys/
[5] FBI Internet Crime Complaint Center, "2024 Internet Crime Report," IC3 / FBI, 2025. [Online]. Available: https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf
[6] The Hacker News, "Morphing Meerkat PhaaS Platform Uses DNS MX Records to Serve Tailored Phishing Pages," The Hacker News, Mar. 2025. [Online]. Available: https://thehackernews.com/2025/03/morphing-meerkat-phaas-platform-uses.html
[7] Australian Cyber Security Centre (ACSC), "Protect Yourself: Phishing," cyber.gov.au, 2025. [Online]. Available: https://www.cyber.gov.au/protect-yourself/securing-your-accounts/phishing
[8] National Cyber Security Centre (UK), "Phishing Attacks: Defending Your Organisation," NCSC, 2025. [Online]. Available: https://www.ncsc.gov.uk/guidance/phishing
Email is still the number one way attackers get into businesses. A 30-minute security review can tell you whether your email is configured to defend against attacks like this. Book a free consultation with lilMONSTER →
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.