Between April- May 2025, Raven uncovered a sophisticated phishing campaign that didn’t spoof a trusted domain — it used one.
A multi-wave phishing campaign abused legitimate Nifty.com infrastructure to impersonate trusted business workflows and harvest credentials. Raven detected the attack despite clean headers, valid authentication, and no obvious red flags.
Editors note: The same blog is available in Japanese here
A Campaign Built for Evasion
The attackers didn’t spoof a domain — they used it legitimately.
They registered free accounts on nifty.com, a well-known Japanese ISP, and launched phishing emails directly from its infrastructure. Because these were real accounts, all authentication layers passed:
Protocol | Status |
|---|---|
SPF | ✅ Pass |
DKIM | ✅ Pass |
DMARC | ✅ Aligned |
This alone allowed them to bypass most secure email gateways (SEGs) that rely heavily on these checks.
Campaign Timeline: Multiple Waves, Adaptive Behaviour
Date | Key Activity |
|---|---|
April 28 | First wave: Execution Agreement lure |
May 7 | Follow-up wave with same theme |
May 16 | SAFE agreement variant introduced |
May 23 | High-volume burst: dozens of emails in <1 min |
The repetition and timing suggest automation and possible kit-based orchestration.
Anatomy of the Campaign
1. Infrastructure Used
Domain: nifty[.]com (legitimate Japanese ISP)
Mail Servers: mta-snd-e0X.mail.nifty[.]com
IP Ranges: 106.153.226.0/24, 106.153.227.0/24
Sender Accounts: Free consumer addresses impersonating businesses
2. Payload and Delivery Method
No links in the email body
Malicious attachments:
File types: .pdf and .html
Filenames like: SAFE_Terms_May2025.pdf, Execution_Agreement.html
Redirect chain (sanitized):
clickme[.]thryv[.]com → benign-looking marketing tracker
2vf78gnafutdc5zqmhng[.]iqmwpx[.]ru → phishing site with obfuscated JavaScript
Embedded email in URL fragment for tracking (e.g., #[email protected])
3. Techniques Designed to Evade Detection
HTML padding: Use of whitespace characters (=20, ) to bypass filters
Multipart MIME structure: Payloads hidden in attachments
Display name spoofing: Examples like “Name via DocuSign” to imply legitimacy
Obfuscated links: Redirectors that aren't obvious bad URLs
Flawless grammar and tone: Indicative of AI-generated or phishing kit templates
4. Behavioural Indicators Flagged by Raven
Unusual sender-recipient combinations
Repeated use of contract-related lures across recipients
Brand impersonation in display names
Identical attachment patterns across campaigns
Obfuscated redirect chains leading to flagged infrastructure
Threat Classification
Vector: Abuse of authenticated Nifty.com mail infrastructure
Attack Type: Redirect-based phishing delivered via file attachments
Intent: Credential harvesting, including Gmail session/token theft
Sophistication Level: Medium to High — use of evasive techniques and infrastructure blending
Attribution Signals: Likely use of phishing kits, with signs of automation or AI-generated content
Why Most Defenses Missed It
Legacy email security often relies on:
Broken SPF/DKIM
Blacklisted domains
Suspicious URLs in body
Behavioral triggers from mail headers
This campaign had none of those.
What Raven Recommends
Defending against this class of attack requires going beyond basic hygiene:
Recommendation | Why It Matters |
|---|---|
Flag unknown senders on free domains | Even if technically valid |
Sandbox all attachments | Payloads often live inside file contents |
Inspect display names & MIME structures | True impersonation often happens here |
Watch for document lures without context | Especially execution, SAFE, or stock agreements |
Don’t trust authentication blindly | SPF/DKIM passing ≠ safe content |
Get a free trial with us
Raven is built with modern AI that goes beyond traditional signals to more behavioral and also incorporates evolving security posture of senders. To get a 30-day free trial, fill out our contact form below.
