The Kusto-style query above, adapted from Evalian’s SOC rules, triangulates sender reputation, anomalous reply-to domains, malicious top-level infrastructure and the shared JARM signature, delivering high-fidelity alerts without drowning analysts in noise. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Evalian analysts noted that, while the façade looks benign, the domain redbull-social-media-manager.apply-to-get-hired.com is barely weeks old and resolves to a VPS in AS-63023, a network notorious for short-lived malicious infrastructure. While job hunters remain the prime targets, organizations should block the listed IOCs, monitor outbound traffic for 38.114.120.167, and teach users that even emails passing every authentication test may still be a wolf in well-forged clothing. The attackers abuse Mailgun’s high-reputation IP pool, letting them inherit Xero’s trust halo while hiding the real reply-to address [email protected]. Disguised as personalized invitations, the messages originate from [email protected] and sail through SPF, DKIM and DMARC checks, giving traditional filters little reason to distrust them. Evalian researchers identified the same TLS JARM fingerprint across sibling domains spoofing MrBeast and Meta, proving the campaign is a rentable kit rather than a lone one-off. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Those credentials never reach Facebook; instead they disappear into a backend that often returns a 504 Gateway Timeout, a stalling manoeuvre that frustrates sandboxes and masks successful exfiltration.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 15 Jul 2025 06:50:11 +0000