Between February 12, 2026 and February 25, 2026, analysts identified a sophisticated campaign comprising 18 phishing incidents that demonstrate advanced multi-stage credential harvesting techniques, with 67% of attacks targeting Microsoft services (Office 365, Azure AD, SharePoint) and additional impersonation of Amazon and tech support services. The campaign exhibits notable technical sophistication through JavaScript-based credential exfiltration via fetch() APIs and Socket.IO WebSocket connections, extensive anti-analysis measures including honeypot fields with randomized CSS classes, base64-encoded configuration data, and bot detection scripts that validate credentials in real-time.
A concerning trend emerged with 28% of incidents hosted on legitimate Microsoft Azure infrastructure (web.core.windows.net), enabling attackers to bypass detection systems while delivering tech support scareware that combines visual deception through fake Windows error dialogs with voice-based social engineering via embedded Tawk.to chat widgets. The attacks demonstrate advanced evasion capabilities including geofencing through detectionConfig objects, polymorphic JavaScript architectures with obfuscated variable names, and comprehensive multi-factor authentication bypass workflows that sequentially capture SMS codes, authenticator app tokens, and push notification responses. Most significantly, the campaign shows an evolution toward hybrid vishing/phishing tactics and adversary-in-the-middle (AiTM) techniques, with several incidents employing real-time WebSocket communication and dynamic content adaptation based on victim characteristics, representing a high-sophistication threat likely utilizing commercial phishing-as-a-service platforms rather than basic template-based attacks.
On February 25, 2026, an employee at a Kentucky organization clicked the below phishing page.
This phishing page uses a sophisticated multi-stage credential capture system that combines form submission with JavaScript-based exfiltration through fetch() APIs to multiple endpoints, as evidenced by the external JavaScript files "JqUhHyk56zS67L0.js" and "U8rpo9szZtMtTd6G.js" that likely contain the actual credential harvesting logic. The page implements several anti-analysis techniques including user selection disabling, right-click prevention, honeypot fields with class "a_panel_995" positioned off-screen, and uses obfuscated configuration data with base64 encoded values in the phpConfig object (prop_index_669, prop_flag_202, etc.).
The infrastructure appears to be hosted on a suspicious domain "fax.enexcm.sbs" with an extremely long URL path suggesting parameterized victim targeting, and the page includes sophisticated Microsoft Office/Outlook impersonation with authentic-looking styling and branding elements. The presence of PageValidator and securityHandler objects, along with geofencing capabilities through detectionConfig, indicates this is an advanced phishing kit with built-in evasion mechanisms that likely validates credentials in real-time and adapts behavior based on victim characteristics, representing a high-sophistication threat.
On February 25, 2026, an employee at a Kentucky organization clicked the below phishing page.
This Microsoft Office 365 phishing page uses a sophisticated multi-stage credential capture system where user credentials are collected via HTML form inputs and then exfiltrated using JavaScript fetch() requests to a base64-encoded endpoint (decoded as "https://macro.ipolicesupply.com/"). The page employs several notable evasion techniques including extensive CSS class name obfuscation (randomized identifiers like "AsAfYi", "tGfIx"), text fragmentation using hidden spans to break up readable content and evade text-based detection, and authentic Microsoft branding with genuine background images from Microsoft's CDN (aadcdn.msauth.net). The phishing kit is hosted on Cloudflare R2 storage service and demonstrates advanced sophistication through its realistic Microsoft login interface replication, dynamic content hiding/showing based on user interaction, and the use of hidden comment text and spans throughout the HTML to further confuse automated analysis tools.
On February 24, 2026, an employee at a Virginia organization clicked the below phishing page.
This phishing page employs JavaScript-based credential exfiltration through Socket.IO WebSocket connections and jQuery AJAX requests, with credentials likely transmitted to base64-encoded endpoints (purl and mpull variables containing encoded URLs). The page implements Microsoft/Office 365 brand impersonation using authentic-looking Fluent UI styling and design tokens to create a convincing login interface, while incorporating obfuscated JavaScript variables and real-time communication capabilities that suggest more sophisticated credential handling than basic form submission. The infrastructure appears to use a disposable hosting service (.pics TLD) which is commonly associated with temporary phishing campaigns. The sophistication level is moderate to advanced due to the real-time WebSocket implementation, base64 obfuscation of endpoints, and professional visual mimicry of Microsoft's authentic login experience, indicating this is likely part of a more comprehensive phishing kit rather than a simple credential harvesting form.
On February 23, 2026, an employee at a Kentucky organization clicked the below phishing page.
This is a sophisticated multi-stage Microsoft credential harvesting phishing page that uses JavaScript-based form submission through a dynamically loaded module (module.php) rather than standard HTML POST, with credentials likely exfiltrated via fetch() or XMLHttpRequest calls embedded in the obfuscated authentication module. The page employs several advanced evasion techniques including bot detection scripts, honeypot fields with randomized class names (a_container_322), anti-inspection protection through disabled text selection and right-click blocking, and base64-encoded configuration data for key operational parameters stored in variables like var_state_535 and var_config_256. The infrastructure appears to be hosted on a compromised or disposable domain (wastlnt.com) with a complex multi-directory URL structure designed to evade detection, while the page implements real-time multi-factor authentication collection including SMS codes, authenticator app tokens, and verification codes across multiple realistic Microsoft-branded interface sections. The sophistication level is advanced, particularly notable for its polymorphic JavaScript architecture, comprehensive MFA token collection capabilities, and the use of randomized CSS class names and element IDs to frustrate automated analysis tools.
Additional similar attacks were clicked:
On February 23, 2026, an employee at a Georgia organization clicked the below phishing page.
This phishing page uses **live chat integration** via Tawk.to (embed.tawk.to/6808f1a5753e2219109a9cc4/1iphevsdq) as its primary credential capture method, avoiding traditional form-based collection entirely. The attack employs sophisticated social engineering with **animated fake Windows error dialogs** displaying "Memory access violation at 0x88412" and "Password required for System32" popups overlaying a convincingly replicated Microsoft Support interface, creating urgency through messages like "anomalous activity detected from your IP" and "Session blocked for your security" while prominently displaying the phone number "+1 (866) 520-3337" for voice phishing. Hosted on legitimate **Azure Blob Storage** (z13.web.core.windows.net), the page includes tracking parameters from Taboola advertising network and uses disabled form inputs to prevent automated analysis while forcing victims into live chat interaction. This represents **advanced sophistication** due to its hybrid vishing/phishing approach, extensive UI spoofing with multiple animated modal dialogs, and abuse of legitimate Microsoft infrastructure to bypass detection systems.
On February 23, 2026, an employee at a Georgia organization clicked the below phishing page.
This is a sophisticated tech support scam that uses pure visual deception rather than traditional credential capture - there are no functional forms, JavaScript exfiltration methods, or actual data collection mechanisms in the code. The page employs advanced social engineering tactics including fake Microsoft branding, simulated system error popups with technical-sounding messages like "Memory access violation at 0x88412" and "Password required for System32," urgency-inducing language about "anomalous activity detected," and a prominent phone number (+1 844-675-2050) displayed across multiple fake security alerts and chat interfaces. The site is hosted on legitimate Azure infrastructure (web.core.windows.net) and integrates Tawk.to chat widgets, while using sophisticated CSS animations and absolute positioning to create dozens of realistic-looking Windows security popups that cannot be dismissed, creating an overwhelming sense of system compromise. The sophistication lies in the psychological manipulation and authentic visual replication of Windows security interfaces rather than technical credential theft - this is a callback scam designed to trick victims into calling the fake support number rather than entering credentials online.
On February 21, 2026, an employee at a Washington organization clicked the below phishing page.
This Microsoft phishing page employs a sophisticated multi-stage credential harvesting system that uses JavaScript to exfiltrate data through the module.php endpoint rather than standard form submission, with credentials collected across multiple authentication phases including username, password, and various 2FA methods (SMS codes, authenticator app verification, and push notifications). The page demonstrates advanced evasion techniques including extensive code obfuscation with base64-encoded configuration data, randomized CSS class names throughout the stylesheet, honeypot fields for bot detection, and anti-inspection measures like disabled text selection and right-click protection. Hosted on what appears to be a compromised or disposable domain (ubiquitarianism.drilto.com), the kit shows high sophistication with its polymorphic code structure, real-time form validation, animated loading overlays, and comprehensive Microsoft brand impersonation including authentic-looking logos, styling, and multi-factor authentication flows. The presence of bot detection modules, encrypted configuration parameters, and the complex JavaScript architecture suggests this is likely a commercial phishing-as-a-service kit rather than a basic template, making it particularly dangerous due to its realistic user experience and technical sophistication.
On February 20, 2026, an employee at a Kentucky organization clicked the below phishing page.
This appears to be a sophisticated Microsoft Azure AD/Office 365 phishing page that uses form-based credential capture through POST requests to "https://a99f1721b01c4f969ee5b4be7d2b7a19.indoxslotvip.club/common/login" and related endpoints. The page demonstrates advanced evasion techniques including extensive JavaScript obfuscation with encoded functions, browser fingerprinting capabilities through device detection and user-agent analysis, and comprehensive Microsoft service impersonation with authentic-looking OAuth flows, WebAuthn/FIDO support, and multi-factor authentication collection mechanisms. The infrastructure utilizes multiple subdomains on the "indoxslotvip.club" domain to mimic Microsoft's legitimate service architecture, with CDN-like resource loading from various endpoints to appear legitimate. This represents an advanced-level phishing operation that closely replicates Microsoft's actual login infrastructure, complete with real-time session management, WebSocket connections for live updates, and sophisticated anti-analysis measures designed to evade automated detection systems.
On February 20, 2026, an employee at a Georgia organization clicked the below phishing page.
This phishing page uses fake technical support scareware tactics rather than traditional credential capture, featuring multiple overlapping system error popups with messages like "Memory access violation at 0x88412" and "Password required for System32" to create urgency, while prominently displaying the phone number "+1 (844) 675-1080" throughout the interface. The page impersonates Microsoft Support with authentic-looking branding and includes a fake chat widget powered by Tawk.to that simulates security alerts about "anomalous activity detected from your IP" and claims the session is blocked for security. The site is hosted on Microsoft Azure (web.core.windows.net domain) and arrives via a Taboola advertising redirect with tracking parameters, representing a moderate sophistication tech support scam that relies on social engineering through fake system errors and urgent security warnings rather than credential theft. The most notable aspect is the overwhelming visual chaos created by dozens of popup windows combined with the professional Microsoft branding to pressure victims into calling the scammer's phone number.
On February 20, 2026, an employee at a California organization clicked the below phishing page.
This phishing page employs a sophisticated visual deception technique by impersonating Microsoft Support with authentic-looking branding while using multiple psychological manipulation tactics including fake system error popups ("Memory access violation at 0x88412"), security warnings ("Password required for System32"), and urgency messaging ("anomalous activity detected from your IP") to create panic and drive victims to call the prominently displayed phone number +1 (844) 675-1080. The page integrates Tawk.to live chat functionality (6808f1a5753e2219109a9cc4/1iphevsdq) for real-time victim interaction, displays numerous fake Windows system dialogs scattered across the screen, and includes disabled form fields to prevent interaction while maintaining the illusion of a legitimate support interface. Hosted on Microsoft Azure (z13.web.core.windows.net) and accessed through Taboola referral tracking, this represents a moderate to advanced tech support scam that relies on voice-based social engineering rather than traditional credential harvesting, using visual overwhelm and fake technical alerts to manipulate victims into believing their system is compromised and needs immediate professional assistance.
On February 20, 2026, an employee at a Texas organization clicked the below phishing page.
This is a sophisticated technical support scam that doesn't actually capture credentials through traditional form submission, but instead uses multiple overlapping social engineering tactics to manipulate victims into calling a fraudulent phone number (+1 (844) 675-1080). The page employs brand impersonation by mimicking Microsoft's official support website design with authentic-looking navigation, logos, and styling, while simultaneously displaying fake system error popups ("Memory access violation at 0x88412", "Password required for System32") and security warnings to create urgency and fear. The site is hosted on Microsoft Azure's web.core.windows.net infrastructure, which adds legitimacy to the deception, and includes a functional Tawk.to chat widget (ID: 6808f1a5753e2219109a9cc4/1iphevsdq) that likely connects victims to scammers posing as Microsoft support agents. The sophistication level is moderate to advanced due to the authentic visual replication of Microsoft's interface, the strategic use of multiple fake error dialogs positioned across the screen, and the integration of legitimate chat services to facilitate real-time victim interaction rather than relying on simple credential harvesting forms.
On February 20, 2026, an employee at a Illinois organization clicked the below phishing page.
This phishing page primarily serves as a social engineering vector rather than directly capturing credentials - it uses a fake Microsoft Support interface with embedded Tawk.to chat functionality and prominent display of the phone number "+1 (844) 675-1080" to trick victims into calling for "support." The most significant TTPs include sophisticated visual impersonation of Microsoft's interface with authentic-looking logos and styling, artificial urgency creation through fake system error popups claiming "Memory access violation" and "Password required for System32," and psychological manipulation via a simulated chat conversation showing "anomalous activity detected from your IP" and "Session blocked for your security." The page is hosted on Microsoft Azure (z13.web.core.windows.net) which adds legitimacy, and while the visual sophistication is high with realistic Windows-style error dialogs and proper Microsoft branding, the technical sophistication is moderate since it relies on phone-based social engineering rather than direct credential harvesting through forms or JavaScript exfiltration.
On February 20, 2026, an employee at a Kentucky organization clicked the below phishing page.
This phishing page uses a multi-stage form submission approach that captures credentials through standard HTML forms (form_section_457, form_box_491, etc.) with JavaScript-based view transitions to collect email/username, password, and multi-factor authentication codes sequentially. The page implements several evasion techniques including extensive code obfuscation with base64-encoded configuration data (prop_state_823, prop_index_769), anti-bot honeypot fields (a_item_624 class), disabled right-click and text selection, and bot detection modules loaded via external JavaScript files. It impersonates Microsoft's authentication flow with convincing branding, multi-factor authentication simulation (SMS codes, authenticator app prompts), real-time error messages, and loading animations to create a sophisticated user experience. The infrastructure uses a suspicious domain (hoslerenterprlse.com with typosquatting) and the page demonstrates advanced sophistication through its realistic Microsoft interface replication, comprehensive MFA workflow simulation, and multiple anti-analysis measures designed to evade detection systems.
On February 19, 2026, an employee at a Florida organization clicked the below phishing page.
This Microsoft login phishing page uses JavaScript-based credential exfiltration through a dynamically loaded module (module.php) rather than standard form submission, with credentials collected across multiple stages including username, password, MFA codes, and SMS verification tokens. The page employs sophisticated evasion techniques including bot detection scripts, honeypot fields with the class "a_widget_926" positioned off-screen, obfuscated configuration data encoded in base64 strings (var_config_692, var_data_127), and anti-inspection CSS rules that disable text selection and right-click functionality. The infrastructure abuses a legitimate-looking domain "frlconusa.com" with SharePoint-mimicking subdomain structure, and the page demonstrates advanced social engineering with realistic Microsoft branding, loading animations, blinking authenticator app notifications, and personalized email display showing "[email address from a Florida organization]" to create trust and urgency. The sophistication level is advanced, particularly notable for its multi-vector approach combining real-time JavaScript exfiltration, comprehensive anti-analysis measures, and a complete multi-factor authentication bypass workflow that captures authenticator app codes, SMS tokens, and verification codes in sequence.
On February 17, 2026, an employee at a Idaho organization clicked the below phishing page.
After analyzing the provided HTML content, this appears to be a legitimate IRLabs company website about infrared sensors rather than a phishing page. The site uses standard WordPress infrastructure with legitimate business functionality including Google Analytics tracking (G-7SKDV04HVE), Google Tag Manager (GTM-MRHPBCS2), WooCommerce e-commerce integration, and proper SSL/security headers. The content focuses on technical information about IR sensors with normal website elements like navigation menus, social media links to LinkedIn and YouTube, contact information, and product catalogs for bolometers and cryostats. There are no credential capture mechanisms, no suspicious JavaScript for data exfiltration, no urgency-based social engineering tactics, and no indicators of phishing infrastructure - instead this represents a legitimate business website with standard web technologies and authentic technical content about infrared laboratory equipment.
On February 17, 2026, an employee at a Maryland organization clicked the below phishing page.
This is a basic Amazon Sign-In impersonation phishing page that uses standard HTML form submission to capture credentials, with the form likely POSTing to the suspicious domain cpanel.135-235-195-253.cprapid.com (based on the URL structure). The page employs Amazon brand impersonation through embedded Amazon logo graphics (base64-encoded PNG images) and mimics the legitimate Amazon sign-in interface styling and layout to deceive users. The phishing kit is hosted on what appears to be a compromised or malicious cPanel installation running on a suspicious IP-based domain (135-235-195-253.cprapid.com), and includes a referrer parameter "eRArpyUFU2M4XMXdXGVIa32L9nOr9ktNokfWfZ6C0rJME7pDAQLTZW9WGKAa95Bb5pZXRneRLav6DwmtMoh4ZkAI1bc20sBlqsbO" which could be used for campaign tracking or victim identification. This represents a basic to moderate sophistication level phishing attack that relies primarily on visual deception rather than advanced JavaScript-based credential theft or evasion techniques.
On February 13, 2026, an employee at a Washington organization clicked the below phishing page.
This phishing page uses a sophisticated Microsoft authentication clone that captures credentials via form POST to "https://redstonesruncom.redstonesrun.com/common/login" and implements multiple evasion techniques including extensive JavaScript obfuscation, dynamic content loading through CDN endpoints, and anti-analysis measures like noscript redirects and browser capability detection. The site employs advanced social engineering by perfectly mimicking Microsoft's Azure AD login interface with legitimate-looking branding, error handling (showing error code "50058"), and complex authentication flow simulation including FIDO/passkey support and multi-factor authentication collection capabilities. The infrastructure utilizes the suspicious "redstonesrun.com" domain with multiple subdomains for different resources, suggesting a well-organized phishing kit with CDN-like distribution, and the code contains sophisticated features like real-time credential validation, device fingerprinting, and session management that indicate this is a high-sophistication adversary-in-the-middle (AiTM) style attack designed to bypass modern authentication protections.
Additional similar attacks were clicked:
On February 12, 2026, an employee at a Kentucky organization clicked the below phishing page.
This phishing page appears to use standard HTML form submission for credential capture, with the form likely posting to a server-side endpoint controlled by the attackers (the exact POST destination isn't visible in the provided HTML fragment). The most significant TTPs observed include sophisticated CSS styling that mimics legitimate login interfaces with extensive theme variables suggesting impersonation of multiple brands or services (ReadWrite, Equatio, Browsealoud, etc.), integration with GoGuardian monitoring scripts that may be used for evasion or to appear legitimate in educational environments, and the use of a complex URL structure with multiple UUID-like parameters and base64-encoded query strings which suggests either session tracking or obfuscated routing mechanisms. The infrastructure appears to be hosted on a custom domain (passwordle.it) rather than abusing legitimate services, and the page demonstrates moderate sophistication through its professional styling system and potential multi-brand impersonation capabilities. The presence of GoGuardian references is particularly noteworthy as this suggests targeting of educational institutions where such monitoring software would be expected and trusted.