Threat Actors Exploit Nifty[.]com Infrastructure in Sophisticated Phishing Attack
Threat actors have orchestrated a multi-wave phishing campaign between April and May 2025, leveraging the legitimate infrastructure of Nifty[.]com, a prominent Japanese Internet Service Provider (ISP), to execute their attacks.
Uncovered by Raven, a leading threat detection entity, this operation stands out due to its ability to evade conventional email security systems by abusing trusted domains rather than spoofing them.
A Stealthy Campaign Bypassing Traditional Defenses
By registering free consumer accounts on Nifty[.]com, attackers sent phishing emails directly through the ISP’s mail servers, such as mta-snd-e0X.mail.nifty[.]com, using IP ranges like 106.153.226.0/24 and 106.153.227.0/24.
The emails passed all standard authentication protocols, including SPF, DKIM, and DMARC, rendering them invisible to most secure email gateways (SEGs) that rely on these checks to flag malicious activity.
This exploitation of legitimate infrastructure highlights a critical vulnerability in legacy defenses that often focus on broken authentication or blacklisted domains.
The campaign unfolded in multiple waves, beginning on April 28, 2025, with an initial lure themed around an “Execution Agreement,” followed by subsequent waves on May 7, May 16 with a SAFE agreement variant, and a high-volume burst on May 23, where dozens of emails were sent in under a minute.
This pattern suggests automation and possibly the use of phishing kits for orchestration. The emails contained no direct malicious links in the body, instead embedding payloads in attachments like PDFs and HTML files with names such as “SAFE_Terms_May2025.pdf” and “Execution_Agreement.html.”
These attachments initiated redirect chains through seemingly benign marketing trackers before leading to phishing sites hosted on obfuscated domains like 2vf78gnafutdc5zqmhng[.]iqmwpx[.]ru, designed for credential harvesting, including Gmail session and token theft.
Adaptive Attack Waves
Techniques such as HTML padding with whitespace characters, multipart MIME structures to hide payloads, display name spoofing (e.g., “Name via DocuSign”), and flawless AI-generated grammar further ensured the emails bypassed traditional filters.
Raven identified the threat through behavioral indicators, including unusual sender-recipient combinations, repeated use of contract-related lures, brand impersonation, identical attachment patterns, and suspicious redirect chains.
This medium-to-high sophistication attack underscores the limitations of legacy email security systems, which often fail to detect threats lacking obvious red flags like broken authentication or suspicious URLs in the email body.
The abuse of authenticated infrastructure and the adaptive, evasive nature of the campaign signal a growing trend in phishing operations where attackers blend into trusted environments to maximize impact.
Raven’s detection of this campaign, despite clean headers and valid authentication, emphasizes the need for advanced behavioral analysis and anomaly detection to combat such threats.
Organizations must evolve beyond traditional defenses, adopting solutions that scrutinize user behavior, content patterns, and hidden redirect mechanisms to safeguard against increasingly sophisticated phishing attempts exploiting legitimate platforms.