Red Bull Phishing Scam Lures Job Seekers, Steals Logins

A new Red Bull phishing scam is targeting job seekers with fake recruitment emails, impersonating the energy drink giant to lure victims into surrendering login credentials. The emails, sent from messaging-service@post.xero.com, pass SPF, DKIM and DMARC checks, helping them bypass standard email filters undetected.

Recipients are directed through a fake reCAPTCHA check to a professional-looking job listing site, hosted on a recently registered domain that mimics legitimate recruiting platforms. The scam culminates in a counterfeit Facebook login page where user credentials are exfiltrated to a known malicious IP address.

Researchers at Evalian linked the Red Bull phishing scam to a larger phishing-as-a-service operation by identifying reused TLS JARM fingerprints across similar campaigns spoofing brands like MrBeast and Meta. Attackers exploit Mailgun’s trusted infrastructure and automated TLS certificate issuance to avoid detection.

Security teams should monitor traffic to 38.114.120.167 and block related domains. Read the full report here:

Red Bull-Themed Phishing Attacks Steal Job Seekers Login Credentials