Between December 19, 2025 and December 31, 2025, analysts identified a sophisticated phishing campaign landscape characterized by advanced multi-stage credential harvesting operations targeting major cloud and logistics providers. The predominant attack pattern involved initial credential collection followed by deliberate "incorrect password" errors to establish legitimacy, then transitioning to OTP/MFA bypass techniques with countdown timers and fake SMS verification flows, primarily impersonating Microsoft Office 365, Amazon, DHL, and Adobe services. Notable sophisticated techniques included the use of Ultraviolet web proxy infrastructure to seamlessly intercept legitimate Microsoft authentication flows while maintaining full MFA functionality, extensive CSS obfuscation with randomized class names for detection evasion, and AJAX-based real-time credential exfiltration to avoid page redirects.
The campaigns demonstrated significant infrastructure diversity, leveraging compromised legitimate platforms (MyBrightSites, Salesforce communities), CloudFlare-protected hosting, and suspicious domains with geographic TLDs, while incorporating advanced social engineering elements such as personalized email addresses suggesting prior reconnaissance and comprehensive brand impersonation with pixel-perfect UI replication. The emergence of proxy-based phishing techniques that maintain legitimate authentication features while intercepting credentials represents a notable escalation in attacker sophistication, requiring enhanced detection capabilities beyond traditional static analysis methods.
On December 31, 2025, an employee at a Kentucky organization clicked the below phishing page.
This phishing page uses a standard HTML form POST method to capture credentials directly to the same URL (password.php), representing a basic credential harvesting technique without JavaScript-based exfiltration. The page demonstrates moderate sophistication through several key TTPs: brand impersonation of Microsoft with accurate visual styling and French localization, multi-stage credential collection (email address is pre-filled from a previous step and passed as a hidden form field), and personalization showing a specific Kentucky organization's email address to increase victim trust.
The infrastructure leverages CloudFlare services for hosting and protection (evident from the beacon script and CDN references), while the domain "jandhan.cfd" appears to be a disposable hosting choice using the .cfd TLD. Notable elements include the presence of GoGuardian monitoring scripts (likely from the victim's environment being captured) and proper responsive design with mobile optimization, but overall this represents a straightforward credential harvesting operation without advanced evasion techniques or real-time validation capabilities.
On December 31, 2025, an employee at a Minnesota organization clicked the below phishing page.
This phishing page employs a multi-stage credential capture technique that initially POSTs to "processmail.php" via AJAX, deliberately shows an "Incorrect Password" error on the first attempt to appear more legitimate, then progresses to an OTP collection stage that submits to "process.php" after displaying a fake SMS verification flow with countdown timer. The page impersonates Greenvelope (an invitation service) while targeting multiple email providers (Outlook, Office365, Yahoo, AOL) and incorporates sophisticated social engineering elements including brand impersonation with fake Adobe logos, urgency through time-limited OTP verification, and trust-building elements like copyright notices and professional styling.
The infrastructure appears to use Cloudflare services (evidenced by the beacon script) with a suspicious domain "yumtothedorodmynewshop.net" that clearly doesn't match the legitimate Greenvelope service being impersonated. This represents a moderate sophistication level due to the multi-stage collection process, AJAX-based submission that avoids page redirects, and the realistic simulation of modern MFA workflows that many users expect from legitimate services.
On December 31, 2025, an employee at a Colorado organization clicked the below phishing page.
This Amazon phishing page captures credentials through a standard HTML form POST to "/ap/signin/process" with client-side JavaScript validation that checks password length and enables/disables the submit button based on input validation. The page demonstrates moderate sophistication through several notable TTPs: it displays a personalized email address placeholder "[email address from a Colorado organization]" suggesting targeted reconnaissance, uses extensive CSS obfuscation with randomized class names like "CHyAgqPbx_yuoH5uy3fA" and "oojVDlbQ8aUE1WHqV0hZ" to evade detection, and implements convincing Amazon UI/UX replication including proper styling, form validation, and footer elements.
The infrastructure uses a suspicious domain "cpcalendars.13-115-149-85.cprapid.com" that appears to be compromised hosting, with references to a "/BREACH/" directory structure suggesting this is part of a larger phishing kit operation. The page includes multiple overlay and modal components that could potentially be used for additional credential collection phases, and the personalization combined with the Colorado organization reference indicates this is likely a targeted spear-phishing campaign rather than a broad credential harvesting attempt.
On December 31, 2025, an employee at a Minnesota organization clicked the below phishing page.
This appears to be a legitimate Amazon customer support forum page rather than a phishing site, hosted on Salesforce's platform (amazonforum.my.site.com) with extensive Content Security Policy headers that restrict resource loading to legitimate Amazon and Salesforce domains. The page contains standard Salesforce community platform JavaScript for user tracking, analytics integration with Adobe DTM, and normal forum functionality without any credential capture forms, malicious redirects, or obfuscated code.
The infrastructure shows legitimate enterprise hosting with proper SSL certificates, Google site verification tokens, and professional implementation patterns typical of genuine corporate support portals. This represents a legitimate business application with no observable phishing techniques, credential harvesting mechanisms, or social engineering tactics - it's simply a standard customer service forum for Amazon shipping-related questions.
On December 30, 2025, an employee at a Illinois organization clicked the below phishing page.
This phishing page uses standard HTML form-based credential capture, submitting username/password via POST to "/account/login" on the same domain (dhlpromogear.mybrightsites[.]com). The page impersonates DHL's rewards program with convincing branding and styling to establish trust, while hosted on MyBrightSites, a legitimate website building platform being abused for malicious purposes.
The site includes extensive JavaScript libraries for legitimate-looking functionality (jQuery, carousel controls, product displays) but no sophisticated anti-analysis techniques, credential exfiltration beyond the basic form, or advanced evasion mechanisms. This represents a basic to moderate sophistication level phishing attack that relies primarily on brand impersonation and professional visual design rather than technical complexity, with the notable aspect being the abuse of a legitimate business platform to host the fraudulent content.
On December 30, 2025, an employee at a Illinois organization clicked the below phishing page.
This is a sophisticated phishing site impersonating DHL's rewards store that uses standard form-based credential capture, posting login credentials to `/account/login` on the same domain (dhlrewards[.]net). The site employs several notable TTPs including brand impersonation with legitimate DHL visual branding and styling, comprehensive social engineering through a fully replicated e-commerce interface complete with product categories and shopping cart functionality, and infrastructure hosted on what appears to be a compromised or lookalike site using the mybrightsites.com CDN for assets while maintaining the fraudulent domain.
The sophistication level is moderate to advanced due to the extensive effort invested in creating a pixel-perfect replica of a legitimate rewards portal, including detailed navigation menus, search functionality, and authentic-looking footer content, though the core credential harvesting mechanism remains a basic HTML form submission without JavaScript-based exfiltration or real-time validation features.
On December 29, 2025, an employee at a Idaho organization clicked the below phishing page.
This phishing page employs a multi-stage credential harvesting technique that uses AJAX POST requests to "next.php" for real-time data exfiltration, implementing a sophisticated collection sequence that first captures email/password credentials, then displays fake error messages to prompt repeated attempts, and finally requests OTP tokens after the second failed login attempt. The page uses extensive URL encoding obfuscation via JavaScript's unescape() function to hide the actual HTML content from static analysis, while impersonating Adobe Document Cloud with multiple email provider options (Outlook, AOL, Office365, Yahoo, Other Mail) to cast a wide net for victims.
The site is hosted on the suspicious domain "vividlys[.]de" and demonstrates moderate sophistication through its progressive disclosure mechanism that simulates realistic authentication failures before transitioning to MFA bypass, along with dynamic form manipulation that hides/shows different input fields based on the attack stage and includes client-side logic to clear the page content after successful OTP collection.
On December 27, 2025, an employee at a Minnesota organization clicked the below phishing page.
This phishing page uses a multi-stage credential capture technique with form submissions to "processmail.php" for initial credentials and "process.php" for OTP collection, implementing sophisticated social engineering through fake Adobe/Greenvelope branding that impersonates an online invitation service requiring email provider authentication. The page employs a deliberate multi-factor authentication bypass flow where it first collects email/password credentials, shows a fake "Incorrect Password" error on the first attempt to appear legitimate, then transitions to an OTP collection modal with a 5-minute countdown timer and loading animations to create urgency and authenticity.
Notable TTPs include brand impersonation of multiple email providers (Outlook, Office365, Yahoo, AOL), professional UI design with Bootstrap framework and responsive layouts, and psychological manipulation through fake verification processes and time pressure. The sophistication is moderate, featuring well-crafted social engineering elements and a realistic multi-step authentication flow, though the infrastructure appears to be basic hosting with suspicious domain characteristics, and the commented-out AJAX code suggests the backend credential processing may be incomplete or under development.
On December 19, 2025, an employee at a Kentucky organization clicked the below phishing page.
This phishing page captures credentials through a standard HTML form that POSTs to "https://login.microsoftonline[.]com/f54910a1-2cbc-42bf-9f0d-5466ba29ee46/login", but the actual traffic is being proxied through cookieduck.com infrastructure as evidenced by the URL structure and __uv-attr prefixes on HTML elements indicating use of an Ultraviolet web proxy. The page demonstrates sophisticated Microsoft Office 365 login page impersonation with authentic-looking branding for "Rowan County KY Schools", complete with legitimate Microsoft CDN references (aadcdn.msftauth.net) that are being proxied through the attacker's infrastructure.
Notable TTPs include extensive JavaScript obfuscation with base64-encoded parameters in the configuration, real-time session management through XMLHttpRequest calls with proper Microsoft API headers (including canary tokens and correlation IDs), and comprehensive evasion techniques using the Ultraviolet proxy system to mask the true destination while maintaining full functionality of the legitimate Microsoft login flow. The sophistication level is advanced due to the seamless proxy implementation that maintains all Microsoft authentication features including MFA support, FIDO2/WebAuthn capabilities, and proper session handling, making it extremely difficult for victims to detect the interception.