This phishing campaign involves sending Japanese-language emails impersonating reputable companies such as All Nippon Airways (ANA), DHL, and myTOKYOGAS. The emails originate from multiple domains with the .cn top-level domain, suggesting the threat actor is operating from or leveraging infrastructure in China. The emails share common characteristics, including the use of the Foxmail 6 email client as indicated in the X-mailer header, and similar URL patterns for phishing pages designed to harvest credentials. The phishing URLs mimic legitimate login portals but redirect victims to fraudulent sites hosted on .cn domains. The campaign has been ongoing for over a year and targets Japanese-speaking recipients, although the sender’s email addresses have also been found on non-Japanese blogs, indicating a broad distribution strategy. The phishing emails are crafted to bypass spam filters but are generally caught by robust filtering systems. The threat actor uses social engineering tactics to trick users into divulging sensitive information, with no exploitation of software vulnerabilities reported. The campaign’s persistence and targeting of major Japanese companies highlight a focused attempt to compromise user credentials and potentially gain unauthorized access to corporate or personal accounts.

If successful, this phishing campaign could lead to credential theft, unauthorized access to user accounts, and potential financial or data loss for individuals and organizations. Compromised credentials could be used for further attacks such as identity theft, fraud, or lateral movement within corporate networks. The impersonation of major companies increases the likelihood of user trust and engagement, especially among less security-aware recipients. Organizations relying on these companies or operating in Japan may face increased risk of targeted phishing attacks. Additionally, the use of .cn domains may complicate takedown efforts and attribution. While no widespread exploitation has been reported, the campaign’s longevity and targeting suggest a persistent threat that could escalate if not mitigated. The impact is primarily on confidentiality and integrity of user data, with availability less affected. The threat also poses reputational risks for the impersonated companies if phishing campaigns are successful and publicized.

Organizations should implement advanced email filtering solutions that specifically target phishing indicators such as suspicious .cn domains and unusual X-mailer headers like Foxmail 6. User awareness training tailored to Japanese-speaking employees and customers should emphasize recognizing phishing attempts impersonating trusted companies. Deploy domain-based message authentication, reporting, and conformance (DMARC), SPF, and DKIM to reduce email spoofing risks. Monitor for newly registered domains mimicking legitimate company names, especially those using .cn TLDs, and coordinate with domain registrars and law enforcement for takedown requests. Encourage users to verify URLs carefully before entering credentials and to report suspicious emails promptly. Multi-factor authentication (MFA) should be enforced on all critical accounts to reduce the impact of credential compromise. Incident response plans should include procedures for phishing incident handling and user notification. Regularly update and test spam filters to adapt to evolving phishing tactics. Collaboration with threat intelligence sharing communities can provide early warnings of similar campaigns.