Phishing Credential Exfiltration via EmailJS and React Frameworks

A recent investigation into a malicious Phishing campaign reveals a significant shift in how attackers architect credential-harvesting pages. According to researchers at SANS ISC, threat actors are now utilizing modern JavaScript frameworks like React and legitimate third-party communication platforms to exfiltrate stolen data. This approach represents a more sophisticated TTP compared to traditional static HTML phishing pages, as it leverages dynamic rendering and whitelisted services to evade security controls.

Technical Analysis of the Attack Chain

The attack begins with a standard email lure, though the technical execution of the landing page is what distinguishes this campaign. Instead of a simple form, the attacker-controlled site is built using React, a popular JavaScript library for building user interfaces. The use of React allows the phishing kit to be modular and more difficult to analyze through automated scanning tools that often struggle with heavily scripted dynamic content. This React-based phishing kit analysis demonstrates that the page components are rendered client-side, making the initial static response from the server appear benign to some basic web filters.

Once a victim enters their credentials into the fraudulent form, the page does not use a traditional C2 server to collect the data. Instead, it integrates the emailjs-com library. EmailJS is a legitimate service that allows developers to send emails directly from client-side JavaScript without needing a dedicated backend server. By embedding the attacker’s EmailJS API keys and service IDs directly in the React components, the phishing page can transmit stolen credentials via an encrypted HTTPS request to the official EmailJS API endpoints.

Phishing credential theft via legitimate email services

The most concerning aspect of this technique is its ability to bypass network-level monitoring. Many organizations implement SIEM and SOC alerts for POST requests directed at unknown or low-reputation domains. However, because the data exfiltration occurs via a connection to a trusted domain like api.emailjs.com, it is far more likely to be overlooked by automated security systems. Using this method for phishing credential theft via legitimate email services allows attackers to maintain a low profile and ensures that their exfiltration path remains open even if the specific phishing landing page is taken down.

Detection and Remediation Strategies

Defenders must adapt their detection logic to account for the abuse of legitimate SaaS platforms in the final stages of an attack. Traditional IoC lists that focus solely on malicious domains are insufficient when the infrastructure being used for data transit is legitimate.

How to detect EmailJS phishing exfiltration

To identify this activity, SOC teams should monitor for unusual spikes in outbound traffic to api.emailjs.com or cdn.emailjs.com, particularly from internal systems that have no business requirement to interact with such services. Integrating these logs into a SIEM for correlation with web proxy logs can help identify the initial Phishing link that preceded the API call.

Furthermore, practitioners should consider the following MITRE ATT&CK focused mitigations:

• Enhanced Endpoint Visibility: Deploy EDR solutions that can inspect browser process behavior and identify the loading of scripts related to email automation libraries on untrusted sites.
• Multi-Factor Authentication (MFA): While not a detection method for the kit itself, MFA remains the most effective defense against the successful use of stolen credentials.
• Content Security Policy (CSP): Organizations hosting their own web assets should implement strict CSP headers to prevent unauthorized scripts from executing, although this is more effective for preventing XSS than for stopping users from visiting external phishing sites.