Have you ever had your lunch interrupted by a sudden barrage of security alerts? That’s exactly what happened to one of our clients when a frantic call from their Security Operations Center revealed a flood of suspicious emails. The culprit? A brand-new cyberattack mimicking the notorious Black Basta group’s latest technique—and it hit with lightning speed.

Normally, you’d expect employees to ring the alarm when they spot anything odd. But this time, there was only silence. Curious, our client checked their Secure Email Gateway (SEG) and confirmed a surge of malicious activity—the very thing that triggered the SOC’s warning. Then, they opened the SlashNext phishing-defense tool they had installed last year. Part of SlashNext’s new Integrated Cloud Email Security (ICES) offering, it quickly pinpointed hundreds of suspicious messages hitting a small group of users.

Within 90 minutes, the attackers had blasted 1,165 emails at 22 target mailboxes—over 50 messages per user, dropped in quick bursts. These rapid-fire attacks aimed to overwhelm inboxes and spark panic-clicking. But thanks to early detection from the ICES platform, our client spotted the threat forming and moved fast to keep it from spreading.

 

That’s when the SlashNext team got involved. SlashNext had recently rolled out enhancements to address the Black Basta tactics seen over the past two months. While other vendors were still scrambling, SlashNext’s AI-powered approach quickly identified and blocked these dangerous emails—proving the power of well-tuned technology when you need it most.

What’s the Real Goal of This Attack?

We’ve seen a surge in ‘Black Basta’-style tactics, a fresh ransomware scam that fools employees into handing over remote control of their computers. First, they flood inboxes with legitimate emails—like newsletters or payment notices. These pile up, making it hard to tell which ones are safe. Then, when people feel overwhelmed, the attackers swoop in via phone calls or Microsoft Teams messages, posing as company tech support with a simple fix.

They speak with confidence to gain trust, directing users to install remote-access software like TeamViewer or AnyDesk. Once that software is on a device, attackers slip in quietly. From there, they can spread harmful programs or sneak into other areas of the network, clearing a path straight to sensitive data.

How SlashNext Stopped a Unique Attack Nobody Else Could Detect

Between November and December, there was a sudden surge of this phishing campaign across the internet. Even though others noticed it, SlashNext was the first to deliver an automated AI-powered defense that could handle it in real time. In just 90 minutes, our technology spotted and stopped a wave of dangerous emails—proving just how effective smart, fast scanning can be. Below, we’ll show you the details of the attack and why our approach is a game-changer.

The Attack

Within those same 90 minutes, our systems intercepted a focused phishing campaign targeting businesses around the globe. Many emails pretended to be from familiar platforms like WordPress, using names like “Account Confirmation” or “Subscription Notice” to trick people into clicking malicious links. Attackers added urgency by including phrases like “Your account has been created” or “Please confirm your subscription.”

 

They even slipped in foreign languages or odd characters—like “Confirmación de la cuenta de cliente” or “Votre compte sur Perle Dorée a été créé”—hoping to bypass simple keyword filters. The result? A flurry of convincing emails that could fool unsuspecting users into giving away their information.

Unveiling the Strategy

When we investigated this phishing wave, we noticed five standout tactics that attackers used to fool people:

1. Platform Impersonation
   Criminals posed as big‑name platforms like WordPress and Shopify, even using real‑looking domains like “g.shopifyemail.com.” They sent fake account creation and subscription emails that seemed genuine at first glance.

2. Sneaky Domains
   Many messages came from places like genomelink.io, mandrillapp.com, epgn.com, and thefreeadforum.com. These domains looked harmless on the surface but were cleverly chosen to slip past simple filters. Our top ten domains from this campaign included:gmail.com, epgn.com, thefreeadforum.com, genomelink.io, mandrillapp.com, vivianapetshop.com.ar, lawyerist.com, ecusoftservice.com, softmaker.de, canoncommunity.com

   

    

3. Character Obfuscation
   Subject lines were sprinkled with unusual letters (like é or ó) or small changes that made them look authentic. This tactic helped attackers dodge basic keyword checks and confuse busy readers.
4. Varied Account Types
   The emails referred to different user roles—from admin accounts to shopping subscriptions—so there was a better chance of catching someone’s attention or curiosity.
5. Psychological Triggers
   By using urgent phrases like “Your account has been created” or “Please confirm subscription,” attackers created a sense of panic. In the rush to protect their accounts, some users clicked without thinking.

How SlashNext Mitigated the Threat

At SlashNext, we use our SEER™ technology to go beyond ordinary filters. Rather than checking old lists or simple keywords, SEER™ looks at how each email behaves in real time. This means that even if attackers hide malicious links behind strange symbols or encoded text, SEER™ can detect them. By testing links in virtual environments, we catch dangerous emails before they ever reach your inbox.

During this campaign, our system saw patterns like:

• URLs leading to fake login pages: Attackers hoped people would enter passwords on these sites.
• Domain spoofing: Criminals used subdomains to appear legitimate or trustworthy.
• Encoded URLs: When clicked, they secretly launched harmful software.

By focusing on behavior, not just appearances, SEER™ flagged each suspicious email and blocked it in real-time, keeping users safe.

Key Takeaways from This Attack

• WordPress Impersonation: Attackers used WordPress branding to trick people, so it remains a hot target for scams.
• Subscription Scams: Fake account creation or subscription emails are rising—always verify before you click.
• Unusual Characters: Weird accents or foreign words in subject lines often signal trouble.
• Rapid Execution: These scams happen fast, highlighting why real-time detection matters.

At SlashNext, we don’t just react to threats—we redefine email security. Our AI-based approach delivers speed, accuracy, and continuous innovation so businesses can stay protected without slowing down.

Can our technology help your organization? Stay ahead with us and learn more at SlashNext.com about novel email phishing campaigns. Fill out the contact form to learn how we address these challenging techniques.