Attackers are using automated methods to generate attack email addresses that end in the domain to try and bypass any email filters that may have Allow Listed.

The emails follow a similar format:

Should the user click on the "Sign In" buttons, they'll get directed to this spoofed login page:

(Note some of the typos on the page.)

Because the attackers can create an address that has "" in it, it'll sail past many security solutions, including, in this case, ATP.

Subscribe to Our Attack Briefs for More Research