Between January 28, 2026 and February 11, 2026, analysts identified thirteen sophisticated phishing incidents demonstrating a significant evolution in threat actor capabilities, with attackers primarily targeting Microsoft Office 365 authentication through advanced JavaScript-based credential exfiltration rather than traditional form submissions, while also impersonating Google, Adobe/Greenvelope, and other trusted services. The campaigns exhibited notable technical sophistication including real-time WebSocket communication for credential capture, AES client-side encryption requiring URL hash parameters for payload decryption, comprehensive multi-factor authentication bypass techniques collecting SMS codes and authenticator tokens, and extensive anti-analysis measures such as debugger detection, keyboard blocking, and obfuscated code deployment.
Threat actors demonstrated advanced infrastructure abuse by leveraging legitimate cloud services including Microsoft Azure blob storage, Cloudflare Workers, Linode object storage, and Supabase authentication APIs to host malicious content and evade detection, while employing professional-grade phishing kits with pixel-perfect brand impersonation and OAuth2 flow replication. The incidents revealed an emerging trend toward modular phishing-as-a-service architectures with encoded configuration variables, multi-stage credential collection processes that include intentional "incorrect password" responses to enhance credibility, and sophisticated social engineering tactics combining fake security alerts with tech support scam elements. These campaigns represent a significant threat to organizations due to their advanced evasion capabilities, realistic user interface replication, and comprehensive credential harvesting that extends beyond initial authentication to capture two-factor authentication tokens and session data.
Domains Reviewed
- xc2pa7lcty[.]gamvanta[.]com/m/PXVLCQ1ME5XXIYIFIOI5MZRFF8S7944IHDWDZ98WMX...
- toro[.]riesgocrediticio[.]com/#
- docu0[.]undertwoadesa[.]com/59AL1yOIdJt50mooo9rGGmKErqC3w52MhV0_iJ76fLT8...
- zuvusedaf[.]z33[.]web[.]core[.]windows[.]net/prod22/staging[.]html
- mkqa[.]digital/rshm/manp/letter/paperlesscountdown/
- wandering-scene-e6d6[.]robertcamp988[.]workers[.]dev/
- inamfiledrop[.]cfd/common?key=9ikmnpf3c
- flowaccess01[.]us-iad-10[.]linodeobjects[.]com/index60[.]html?rfranz@dal...
- eventmain[.]de/abdoc/AcrobatN/
- nocode[.]stousiore[.]help/ogirvwo8h3jiq?a412cc91a642-6602aa1951092b78c45...
- bayer-uslegal[.]org/common?key=9ikmnpf3c (2 variants)
- 8662979c7d67498db191391ab2fb142d[.]breaelles[.]com/?thLsIj=319YQU&EQT57J...
On February 11, 2026, an employee at a Texas organization clicked the below phishing page.
This phishing page uses JavaScript-based credential exfiltration rather than traditional form submission, with encoded variables including a base64-encoded URL ("aHR0cHM6Ly94YzJwYTdsY3R5LmdhbXZhbnRhLmNvbS8=") that decodes to the same domain and another encoded string ("c2MvVFlSRkFQSjAzQlRVTEtGMTJUNFhCM0oyNQ=="), along with Socket.io WebSocket connectivity for real-time communication.
The page targets Microsoft authentication impersonation with "Sign in to your account" branding, includes a victim's email address pre-populated from a Texas organization, and loads jQuery 4.0.0 and Socket.io libraries to handle dynamic credential capture and transmission. The site is hosted on the gamvanta.com domain with a suspicious randomized subdomain (xc2pa7lcty), and uses a modular approach with encoded configuration variables suggesting it's part of a phishing-as-a-service kit. This represents a moderately sophisticated attack that combines real-time WebSocket communication, credential pre-filling, and encoded configuration to evade basic detection while impersonating Microsoft's login interface.
On February 11, 2026, an employee at a Florida organization clicked the below phishing page.
This phishing page primarily uses JavaScript-based credential capture through the Supabase authentication service (supabase.min.js), indicated by the loaded library and obfuscated JavaScript functions that appear to handle authentication flows. The page employs moderate code obfuscation techniques with multiple layers of hexadecimal-encoded function names and variable manipulation (seen in the _0x4ad7, _0x1ff5, and _0x2063 function patterns) to hide its true functionality.
The site is hosted on the suspicious domain "riesgocrediticio.com" and implements Google Analytics tracking (G-Q67JFDQ6XG) to monitor victim interactions, while presenting itself as "Infamous" - an educational tool for Canvas LMS to appear legitimate. The sophistication level is moderate, combining obfuscated JavaScript with legitimate cloud services (Supabase for authentication backend and CDN resources from jsdelivr.net) to create a more convincing attack platform that can capture credentials through the Supabase authentication API rather than simple form submissions.
On February 09, 2026, an employee at a Minnesota organization clicked the below phishing page.
This sophisticated Microsoft login phishing page uses JavaScript-based credential exfiltration through a modular system that loads external scripts (module.php, bot-detection.js) to handle multi-stage credential collection including username, password, and MFA tokens across six different authentication sections. The page employs advanced evasion techniques including anti-bot honeypot fields (a_container_751 class), disabled right-click and text selection, randomized CSS class names for obfuscation, and base64-encoded configuration data in the phpConfig object that likely contains exfiltration endpoints.
Notable sophisticated elements include real-time two-factor authentication simulation with multiple MFA methods (SMS codes, authenticator app approval with dynamic numbers, verification codes), polymorphic code loading with security tokens and timestamps, and comprehensive brand impersonation with authentic Microsoft styling and multi-step authentication flows. The infrastructure appears to use a custom PHP backend (module.php endpoint) with timestamp-based cache busting and displays high technical sophistication through its modular architecture, anti-analysis measures, and realistic MFA token collection capabilities.
On February 06, 2026, an employee at a Nevada organization clicked the below phishing page.
This phishing page employs sophisticated evasion techniques including AES-encrypted content that requires a URL hash parameter to decrypt and display the actual phishing interface, with the encrypted payload stored in a hidden div and decrypted client-side using CryptoJS with HMAC-SHA256 verification. The page implements multiple anti-analysis measures including pointer lock mechanisms, fullscreen forcing, keyboard event blocking (F5, Escape), right-click context menu disabling, and beforeunload event handlers to prevent users from easily leaving the page.
The social engineering approach mimics Windows Defender security alerts with fake threat detection counters, animated scanning progress bars, and displays a phone number (+1 866 520-0480) for fraudulent "Windows Support," while the infrastructure leverages Microsoft Azure blob storage (z33.web.core.windows.net) for hosting. The sophistication level is advanced due to the client-side encryption scheme that likely evades static analysis tools and the comprehensive browser manipulation techniques designed to trap victims in a fake security alert scenario, though the actual credential capture mechanism remains hidden within the encrypted payload that couldn't be fully analyzed without the proper decryption key.
On February 05, 2026, an employee at a Texas organization clicked the below phishing page.
This phishing page uses a standard HTML form POST method to capture credentials, submitting to "processmail.php" for initial login and "process.php" for OTP collection through a sophisticated multi-stage attack flow that includes fake "Incorrect Password" responses to increase credibility and subsequent 2FA token harvesting. The page impersonates Greenvelope (invitation service) while offering multiple email provider login options (Outlook, Office365, Yahoo, AOL) and employs several social engineering tactics including urgency messaging about invitation access, professional UI design with proper branding, modal popups with countdown timers, and a three-stage collection process (credentials → fake error → OTP request with 5-minute timer).
The infrastructure appears to be hosted on a suspicious domain (mkqa.digital) with Cloudflare protection based on the beacon scripts, and the attack demonstrates moderate to advanced sophistication through its realistic multi-modal interface, comprehensive 2FA bypass attempt, JavaScript-driven stage management, and professional appearance that closely mimics legitimate services.
On February 05, 2026, an employee at a Georgia organization clicked the below phishing page.
This phishing page appears to be a Microsoft Outlook login impersonation that uses embedded base64-encoded background images to mimic legitimate Microsoft branding, suggesting moderate sophistication in visual deception techniques. The page is hosted on Cloudflare Workers (robertcamp988.workers.dev subdomain), indicating abuse of legitimate cloud infrastructure services for hosting malicious content.
The HTML contains extensive CSS styling to replicate Microsoft's authentic login interface, including proper font families (Segoe UI) and responsive design elements, demonstrating attention to visual authenticity. The use of Cloudflare Workers infrastructure combined with detailed Microsoft UI replication suggests this is likely part of a more sophisticated phishing campaign that would typically employ either form POST submission or JavaScript-based credential theft once the complete page loads.
On February 05, 2026, an employee at a Kentucky organization clicked the below phishing page.
This phishing page implements credential capture through a standard HTML form POST to "/common/login" on the malicious domain inamfiledrop.cfd, while masquerading as a legitimate Microsoft Office 365 login page. The most significant TTPs observed include sophisticated brand impersonation using authentic Microsoft branding, CSS, and JavaScript resources loaded from legitimate Microsoft CDN endpoints (aadcdn.msauth.net), extensive configuration mimicking real Azure AD authentication flows with proper OAuth2 parameters and session handling, and the use of Cloudflare services for hosting and protection as evidenced by the Cloudflare beacon script.
The page demonstrates moderate sophistication through its nearly pixel-perfect replication of Microsoft's login interface, complete with proper mobile responsiveness, accessibility features, and integration of third-party services like GoGuardian, though it ultimately relies on basic form-based credential theft rather than advanced techniques like real-time proxying or OAuth token interception.
On January 30, 2026, an employee at a Texas organization clicked the below phishing page.
This Microsoft login impersonation page uses a multi-stage credential collection process that submits captured data via JavaScript fetch() requests to external endpoints, likely exfiltrating both username and password through separate form submissions.
The page implements sophisticated anti-analysis techniques including debugger detection with performance.now() timing checks that redirect to Wayfair.com if developer tools are detected, disables right-click context menus, blocks common keyboard shortcuts (F12, Ctrl+U, Ctrl+Shift+I), and includes webdriver detection to thwart automated analysis tools. Hosted on Linode object storage (flowaccess01.us-iad-10.linodeobjects.com), the phishing kit demonstrates moderate to advanced sophistication with its comprehensive evasion mechanisms, convincing Microsoft UI replication complete with authentic logos and styling, and the inclusion of obfuscated JavaScript libraries for random expression generation and cryptographic functions.
The page specifically targets a Texas organization email address visible in the URL parameter and throughout the interface, indicating a targeted spear-phishing campaign rather than a generic attack, while the anti-debugging measures and hosting choice suggest an attempt to maximize operational security and evade detection.
On January 30, 2026, an employee at a Florida organization clicked the below phishing page.
This phishing page uses a multi-stage credential capture approach where initial credentials are submitted via POST to "processmail.php" and OTP codes are collected through a second form submitting to "process.php", implementing a fake two-factor authentication bypass technique. The site employs sophisticated social engineering by impersonating Adobe/Greenvelope invitation services with multiple email provider options (Outlook, Office365, Gmail, Yahoo, AOL), uses intentional "Incorrect Password" error messaging to make victims re-enter credentials thinking they mistyped, and includes realistic UI elements like countdown timers and loading animations to enhance credibility.
The infrastructure shows signs of being hosted on a compromised domain (eventmain.de) with Cloudflare protection as evidenced by the challenge platform scripts, and notably contains a hardcoded redirect to "https://eventmain.de/abkdoc/accounts.google" for Gmail users. The sophistication level is moderate to advanced due to the multi-stage collection process, realistic error handling, OTP harvesting capability, and the seamless integration of multiple fake authentication flows designed to capture both primary credentials and bypass tokens.
On January 29, 2026, an employee at a Kentucky organization clicked the below phishing page.
This phishing page uses JavaScript-based credential exfiltration through a heavily obfuscated script that contains a large encoded string (variable `ji`) which likely decodes to reveal the actual credential harvesting functionality, rather than a simple form POST submission. The page implements several anti-analysis techniques including clipboard manipulation (replaces copied content with "n"), references to GoGuardian monitoring bypass scripts, and extensive code obfuscation using what appears to be base64 or custom encoding to hide the primary payload.
The infrastructure appears to be hosted on a compromised or disposable domain (stousiore.help) with a complex URL structure containing encoded parameters, and the page uses deceptive hidden content claiming to be "applying dynamic environment settings" while the real malicious code executes. This represents an advanced-level phishing kit with sophisticated obfuscation designed to evade automated detection systems, though the actual credential capture mechanism remains hidden within the encoded payload that would need runtime analysis to fully decode.
On January 29, 2026, an employee at a Kentucky organization clicked the below phishing page.
This phishing page uses a standard HTML form POST to "/common/login" to capture credentials, but employs sophisticated Microsoft authentication interface mimicry by loading legitimate Microsoft CDN resources (aadcdn.msftauth.net) and replicating the exact visual appearance and JavaScript functionality of genuine Microsoft login pages. The site is hosted on the suspicious domain "bayer-uslegal.org" which impersonates the pharmaceutical company Bayer while masquerading as a legal services subdomain, and implements extensive JavaScript obfuscation through encoded configuration objects and complex authentication workflows that mirror real Microsoft OAuth 2.0 flows. The sophistication level is advanced, featuring real-time DNS prefetching to legitimate Microsoft domains, comprehensive browser fingerprinting capabilities, Watson error reporting integration, and dynamic content loading that makes detection challenging - this appears to be a professional phishing kit designed to harvest Microsoft 365 credentials with high fidelity interface replication.
On January 29, 2026, an employee at a Tennessee organization clicked the below phishing page.
This phishing page employs a sophisticated Microsoft credential harvesting operation that uses form POST submission to "https://8662979c7d67498db191391ab2fb142d.breaelles.com/common/login" along with multiple fallback endpoints for different authentication flows. The most significant TTPs observed include extensive brand impersonation with authentic-looking Microsoft login interface elements, comprehensive evasion techniques through multiple obfuscated configuration objects containing encoded state parameters and complex redirect chains, and advanced infrastructure setup using the suspicious "breaelles.com" domain with multiple subdomains that mimic legitimate Microsoft services.
The page demonstrates high sophistication through its implementation of real Microsoft authentication flow patterns including OAuth2 parameters, FIDO challenge tokens, desktop SSO configuration, and comprehensive session management that could facilitate adversary-in-the-middle attacks. Notably, the kit includes detailed browser fingerprinting capabilities, extensive telemetry collection through Watson error reporting systems, and sophisticated JavaScript frameworks that closely replicate legitimate Microsoft authentication services, indicating this is likely a professional-grade phishing kit designed to bypass security awareness training.
Recommendations
- Implement DNS filtering to block newly registered domains and suspicious TLDs (.cfd, .help) commonly used in credential harvesting campaigns, while maintaining allowlists for legitimate business domains.
- Configure email security gateways to flag and quarantine messages containing links to cloud storage services (Linode, Azure blob storage) and serverless platforms (Cloudflare Workers) when sent from external or recently registered domains.
- Deploy advanced web filtering solutions that can decrypt and analyze JavaScript-obfuscated content, including base64-encoded payloads and dynamically loaded scripts used to evade static analysis.
- Enable conditional access policies requiring device compliance and additional authentication factors when login attempts originate from suspicious geolocations or exhibit anti-debugging behaviors.
- Implement user awareness training specifically focused on recognizing multi-stage authentication attacks, fake error messages designed to harvest credentials multiple times, and social engineering tactics that create artificial urgency around document access.
- Deploy endpoint detection and response (EDR) solutions configured to monitor for browser manipulation techniques including clipboard hijacking, forced fullscreen modes, and disabled keyboard shortcuts that indicate phishing page interaction.
- Establish network monitoring for WebSocket connections and real-time communication channels to legitimate services (Supabase, Socket.io) that may indicate credential exfiltration in progress, particularly when originating from recently accessed suspicious domains.
