At Constella, we’ve spent years analyzing how cybercriminals execute attacks that affect organizations of all sizes, whether they’re startups, local businesses, or global enterprises. One of the most revealing recent cases involves the abuse of Email Marketing Platforms like MailChimp, whose accounts are being compromised through account takeover (ATO), phishing, and social engineering tactics. These attacks are not only persistent, they’re scaling globally and affecting multiple sectors with serious consequences.
What Makes Email Marketing Platform, MailChimp, an Ideal Target?
MailChimp has long been a critical communication tool for marketing teams, tech newsletters, and even cybersecurity organizations. Access to a MailChimp account typically gives attackers:
- Full lists of subscribers and contact information
- The ability to send mass emails from a trusted source
- The potential to impersonate trusted brands and individuals
- Intelligence on marketing or internal communication strategies
Even with multi-factor authentication (MFA), many of these accounts are being accessed by bypassing traditional login processes.
How? Through the use of stolen session cookies. Infostealers, malware families designed to extract stored credentials, browser cookies, and app data, are a common threat vector. Once cookies are exfiltrated, attackers can bypass login flows entirely, rendering MFA useless.
Thousands of new fresh infections in the last few days
In just the last few days, Constella has detected +1.2K newly infected devices that contained MailChimp credentials. These are not historical records, they are fresh net new infections, actively putting sensitive accounts at risk.
What’s more, this data highlights a worrying trend: attackers are increasingly targeting corporate environments, not just personal users. Many of the domains associated with these infections belong to legitimate businesses across multiple sectors and geographies.
Global Spread: Countries Most Affected
A recent analysis of infections paints a clear picture of the global nature of this threat. The following countries are seeing the highest rates of MailChimp-related compromises in the past month:
- Mexico (13.46%)
- Australia (8.65%)
- Colombia (8.65%)
- Brazil (5.77%)
- France (5.77%)
- India (4.81%)
These infections are not just hitting random individuals; they’re breaching the digital walls of corporations, nonprofits, and educational institutions alike.
Targeted Sectors: Who’s Being Hit?
By filtering recent infostealers logs, we’ve identified that the following sectors are among the most impacted by this type of threat:
The sectors most affected include:
Education
Educational institutions continue to be attractive targets due to legacy systems and limited cybersecurity resources. These platforms often support large-scale virtual learning environments, making them vulnerable to entry points.
Marketing & Digital Media
Companies offering marketing and digital solutions are high-value targets due to the client data they process. These organizations often operate in highly connected ecosystems, making lateral movement easier for attackers once inside.
Technology & IT Services
Tech companies, including software developers and IT solution providers, also featured heavily. This sector represents both a high-risk and high-reward category for threat actors due to their access to other clients’ systems.
Retail & eCommerce
Retailers, especially smaller or niche e-commerce shops. These businesses often lack robust security teams, making them soft targets for credential harvesting and carding operations.
Healthcare & Industrial Automation
These organizations are attractive targets not just because of their mailing lists, but because of the trust associated with their brand identity. When an attacker sends an email from a legitimate MailChimp account tied to one of these domains, recipients are far more likely to open and engage with it.
Cookie Theft and MFA Bypass: A Silent Killer
Even when organizations implement MFA on their services (which, notably, isn’t universally enforced by organizations itself), attackers are finding ways in. One of the more alarming methods involves stealing authentication cookies through infostealers like RedLine, Raccoon, or Lumma, among others.
These cookies are then used to impersonate a logged-in session—allowing full access to accounts without ever needing to enter a password or second factor. It’s stealthy, effective, and often undetected until damage is done.
Constella’s Commitment
At Constella, we continuously monitor infostealer data, and exposed corporate credentials in real time. Our goal is to help businesses understand not only whether their data is exposed, but also what kind of attacks can originate from that exposure.
If your organization uses MailChimp, or if you suspect credentials may have been compromised in the past month, it’s time to take action. The threat is real, active, and spreading fast.
Want to know if your domain is affected? Reach out to our threat intelligence team, we’re here to help.
