A recently discovered phishing campaign attempted to steal victims’ credentials by abusing the Telegram messaging app’s API to create malicious domains that help bypass security tools such as secure email gateways.

The Telegram application offers secure, encrypted communication channels for its users, the service also offers API options that can allow users to create programs that use the app’s messages for an interface. In this case, the fraudsters used the APIs to create realistic-looking phishing domains that bypassed security tools.

This campaign spoofed an email account that appeared to an internal user as legitimate. “Then they used a domain as the site for the URL redirection that most likely at the time wasn’t a known bad site, but which is now classified as malicious.”

The targets of this particular campaign were sent phishing emails that appeared to come from an internal source, with addresses such as “support@internal.com,” but which actually originated with a source outside the organization, according to the report.

The phishing emails typically come with an urgent message alert in the subject line, such as “Review All Pending Messages,” which is designed to get the potential victim to open the message.

“The user is presented with a notice advising that they have messages to review. The bold and large title attracts attention, and is followed by further information to clarify the purpose of the email, according to the report. “Then there’s a button for the user to click to ‘Release All’ the blocked emails to their inbox.”

If the targeted victim clicks the link to inspect the messages, they are led to a malicious domain that is created from the Telegram API and designed to look like a webmail login page that asks for credentials, according to the report. The webpage also pulls in the user’s email address from the URL to give it another layer of legitimacy.

After the user’s password and other credentials are harvested, the information is then sent to the Telegram API created by the fraudsters, while the victim receives a message that the account has been updated, Cofense notes.

“Once the malicious domain has been identified, it can be blocked. However, by utilizing the Telegram API, the threat actor is working to circumvent interference,” according to the report. “They’re complicating methods for removing stored credentials that have been harvested, and can view and access these credentials at their convenience on a page they control.”