Hackers have launched sophisticated attacks targeting MailChimp, one of the most widely used email marketing platforms.
These attacks leverage advanced phishing techniques and social engineering tactics to gain unauthorized access to corporate MailChimp accounts, potentially exposing sensitive subscriber data and enabling mass distribution of malicious content from trusted sources.
The attacks have rapidly accelerated in recent weeks, with threat actors specifically targeting organizations across multiple sectors including education, marketing, technology, and retail.
.png
)
Once compromised, these accounts serve as powerful vectors for distributing malware, stealing credentials, and conducting further social engineering campaigns.
The trusted reputation of affected brands significantly increases the likelihood that recipients will open and engage with malicious communications.
Constella researchers identified over 1,200 newly infected devices containing stolen MailChimp credentials in just the past few days.
According to their analysis, these are not historical breaches but fresh infections actively putting sensitive accounts at risk.
The geographic distribution of attacks shows particular concentration in Brazil, France, and India, with each country accounting for a significant percentage of compromised accounts.
What makes these attacks particularly concerning is that gaining access to a MailChimp account provides attackers with complete subscriber lists and contact information, the ability to send mass emails from a trusted domain, opportunities to impersonate reputable organizations, and valuable intelligence on marketing strategies.
This combination creates a powerful platform for launching highly convincing secondary attacks.
Cookie Theft: The Silent MFA Bypass
The most alarming aspect of this campaign is how attackers circumvent multi-factor authentication (MFA) protections.
Rather than attempting to break through login credentials, cybercriminals deploy specialized infostealers like RedLine, Raccoon, and Lumma that specifically target authentication cookies stored in browsers.
Once extracted, these session cookies allow attackers to impersonate legitimate user sessions, effectively bypassing the need to enter passwords or second-factor verification.
This session hijacking technique renders traditional MFA ineffective, as attackers never trigger the authentication workflow.
The attack remains undetected until suspicious account activity occurs, by which time sensitive data may already be compromised.
Organizations using MailChimp should immediately review account access patterns, implement session timeout policies, and consider implementing additional endpoint protection to detect infostealer malware before cookies can be exfiltrated.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
