Between January 16 and January 27, 2026, analysts identified four sophisticated phishing campaigns demonstrating an evolution toward advanced evasion techniques and targeted credential harvesting operations. The incidents revealed a consistent pattern of extensive JavaScript and base64 obfuscation designed to evade automated detection systems, with threat actors employing sophisticated social engineering through brand impersonation of high-value targets including Microsoft Office 365, Netflix, and financial services platforms.
Notable techniques observed include dynamic form endpoint construction using decoded payloads, clipboard manipulation for anti-analysis purposes, and the emerging tactic of integrating legitimate monitoring service scripts (GoGuardian) to potentially bypass organizational security controls. Infrastructure analysis revealed a preference for compromised cPanel hosting services and disposable domains with obfuscated subdomain patterns, while delivery mechanisms included Microsoft advertising campaigns and pre-populated victim email addresses indicating targeted spear-phishing operations. The sophistication level across these campaigns ranges from moderate to advanced, with threat actors moving beyond traditional form-based capture toward multi-stage JavaScript execution and real-time evasion capabilities that pose significant challenges to conventional security detection methods.
On January 25, 2026, an employee at a Kentucky organization clicked the below phishing page.
This phishing page uses a standard HTML form POST submission method to capture credentials, with the form likely submitting to a server-side script for data collection. The most significant TTPs observed include extensive code obfuscation through base64-encoded images and minified CSS with randomized class names to evade detection, social engineering through brand impersonation of "MyGift Visa Gift Card" to create legitimacy, and the use of tracking parameters in the URL (msclkid) suggesting delivery via Microsoft advertising or email campaigns.
The site appears to be hosted on a disposable domain (nowamericangift.com) rather than legitimate cloud infrastructure, and includes sophisticated CSS styling to create a professional appearance with modal dialogs and loading animations. The sophistication level is moderate, as it employs basic obfuscation techniques and professional styling but relies on traditional form-based credential capture rather than advanced real-time phishing or AiTM methods.
On January 23, 2026, an employee at a Illinois organization clicked the below phishing page.
This phishing page captures Netflix credentials through a standard HTML form POST submission to the same URL path, with client-side JavaScript handling input validation and formatting but no evidence of real-time exfiltration or encrypted transmission. The page demonstrates moderate sophistication through comprehensive email/phone number detection with automatic country code selection for phone inputs, detailed form validation with Netflix-authentic error messaging, and careful visual mimicry including the official Netflix SVG logo and styling that closely replicates the legitimate login interface.
The site is hosted on what appears to be a compromised cPanel hosting service (82-25-35-213.cpanel.site) using a typosquatted domain "netflx" instead of "netflix", and employs social engineering through authentic Netflix branding, help center links, and trust indicators like the reCAPTCHA notice, though the actual form submission mechanism remains basic without advanced techniques like real-time credential validation or AiTM proxy functionality.
On January 23, 2026, an employee at a Kentucky organization clicked the below phishing page.
This phishing page uses a highly sophisticated credential capture mechanism that employs extensive JavaScript obfuscation through a large base64-encoded string variable named "cd" that likely contains the actual phishing logic when decoded and executed. The page implements multiple evasion techniques including clipboard manipulation (intercepts copy operations and replaces content with "u"), anti-analysis measures through hidden content elements, and integration with what appears to be GoGuardian monitoring services to potentially bypass security controls.
The infrastructure appears to be hosted on a compromised or disposable domain (yufeadai.my.id) with complex URL parameters suggesting session tracking or victim identification. This represents an advanced-level phishing operation due to the heavy code obfuscation, anti-analysis features, and the sophisticated use of legitimate-seeming monitoring service integration to evade detection, though the actual credential submission method remains hidden within the obfuscated payload.
On January 21, 2026, an employee at a Kentucky organization clicked the below phishing page.
This phishing page employs a multi-stage credential capture technique using JavaScript to dynamically construct form submission endpoints, with the primary POST target built by decoding a base64-encoded string ("c2MvVlc2TUdVT1hGRDFLUUs4WFNCWkdCRFE0Nw==") and combining it with the pre-populated victim email address from a Kentucky organization. The page demonstrates moderate sophistication through several evasion techniques including meta robots "none" directive to prevent indexing, noscript redirect functionality, and what appears to be integration with GoGuardian monitoring scripts that may be attempting to detect or evade security monitoring.
The infrastructure utilizes a suspicious domain (batidiacae.pics) with an obfuscated subdomain pattern, and the page implements Microsoft Office 365/Azure AD impersonation through authentic-looking Segoe UI fonts and styling that closely mimics legitimate Microsoft login interfaces. The combination of victim email pre-population, base64 obfuscation of the submission endpoint, and the professional Microsoft branding indicates this is a targeted spear-phishing operation rather than a generic credential harvester.
Additional similar attacks were clicked: