Mozilla has issued an pressing safety alert to its developer neighborhood following the detection of a complicated phishing marketing campaign particularly concentrating on AMO (addons.mozilla.org) accounts.
The corporate’s safety workforce, led by Scott DeVaney, reported on August 1, 2025, that cybercriminals are actively trying to compromise developer credentials via misleading emails claiming account updates are required to take care of entry to developer options.
Key Takeaways1. Mozilla detected phishing emails concentrating on add-on builders.2. Pretend emails use incorrect domains (like “mozila”) and fail SPF/DKIM/DMARC checks.3. Solely enter credentials on mozilla.org/firefox.com.
Targets Mozilla Add-on Builders
The malicious marketing campaign makes use of rigorously crafted emails that masquerade as official Mozilla communications, sometimes containing variations of the message “Your Mozilla Add-ons account requires an replace to proceed accessing developer options”.
These subtle phishing makes an attempt exploit builders’ considerations about sustaining entry to their publishing privileges on the AMO platform, which serves as the first distribution channel for Firefox extensions and add-ons.
Safety researchers have recognized a number of technical indicators that may assist builders distinguish legit communications from fraudulent ones.
Genuine Mozilla emails completely originate from verified domains, together with firefox.com, mozilla.org, mozilla.com, and their respective subdomains.
Moreover, legit emails go important e-mail authentication protocols, together with SPF (Sender Coverage Framework), DKIM (DomainKeys Recognized Mail), and DMARC (Area-based Message Authentication, Reporting, and Conformance) checks.
Proof from affected builders reveals that some phishing emails include apparent technical flaws, together with misspelled domains corresponding to “mozila” as an alternative of “mozilla,” which ought to function quick purple flags for recipients.
Regardless of these obvious errors, the marketing campaign has efficiently compromised a minimum of one developer account, with one sufferer reporting they “fell for the phishing rip-off” earlier than shortly realizing the deception and deleting their extension.
Mozilla Suggestions
Mozilla’s safety advisory emphasizes a multi-layered strategy to safety, urging builders to implement strict verification procedures when dealing with suspicious communications.
The corporate recommends that builders by no means click on embedded hyperlinks in emails claiming to be from Mozilla, as an alternative advocating for direct navigation to mozilla.org or firefox.com domains.
Crucial safety protocols embody validating that any hyperlinks inside emails level completely to verified Mozilla domains earlier than interplay, and making certain that Mozilla credentials are solely entered on official mozilla.org or firefox.com web sites.
The corporate has additionally directed builders to further assets from the U.S. Federal Commerce Fee and the U.Okay. Nationwide Cyber Safety Centre for complete steerage on detecting and reporting phishing scams.
This incident highlights the rising menace panorama dealing with WebExtensions builders and the broader Mozilla ecosystem, as cybercriminals more and more goal developer accounts to distribute malicious code via trusted extension platforms probably.
Combine ANY.RUN TI Lookup together with your SIEM or SOAR To Analyses Superior Threats -> Attempt 50 Free Trial Searches
