Attachments with malicious links redirecting users to phony adult dating sites are being used in a new phishing campaign. A few of the links will send a user to replicated Ashley Madison pages. The username behind these messages is Gell, who is using info@reeedirect[.]ru to blast them out. Random names are being used in the subject line of the emails. At the end of the email is where the PDF attachment is located and if the user clicks on it, it will take them to the adult sites through a series of redirects. While redirecting, a URL http://r2[.]red123[.]ru/ is visited and it contains the message “follow the white rabbit” which ultimately sends the user to the replicated Ashley Madison page. Seven different IP’s were used to send users to over 4,000 different spam domains. The main IP’s listed were 34.194.20[.]115, 52.211.95[.]198, 34.210.90[.]78,52.32.148[.]184, 52.27.20[.]17, 52.5.47[.]11, and 52.30.14[.]56.