Between June 4, 2026 and June 17, 2026, our team analyzed sixteen phishing incidents targeting organizations across Arizona, Florida, Illinois, Kentucky, Minnesota, Texas, and Virginia, spanning two distinct attack categories: credential harvesting and telephone-oriented vishing via browser-locker and tech-support-fraud pages. The dominant capture mechanisms were form POST to attacker-controlled PHP endpoints, adversary-in-the-middle proxying of live authentication sessions, double-submit harvesting designed to extract two password attempts per victim, real-time OTP interception through timed modal overlays, and telephone-based exfiltration through fabricated system-error interfaces that route victims to operator-staffed call lines.
Impersonated brands and services identified from on-page evidence include Microsoft 365, Microsoft Support, Windows Defender, Amazon, Google, Adobe Acrobat, and the Greenvelope online invitation platform, with several kits layering two brands simultaneously to extend the social-engineering surface across both document-sharing and event-invitation pretexts. Infrastructure was distributed across legitimate cloud and SaaS platforms including Microsoft Azure Static Web Apps, Heroku, and Scaleflex's asset management domain alongside compromised WordPress sites, shared cPanel hosts operating under subdomain chains that embed recognizable brand strings, and purpose-registered disposable domains across
A tech-support-fraud page impersonating Microsoft Support — complete with a fabricated SmartScreen warning, cascading fake system-error dialogs, and a live-chat widget scripted to demand an immediate phone call — targeted a Florida and Texas organization. Detections occurred on June 04, 2026, June 08, 2026, June 12, 2026, and June 16, 2026, totaling five events across a twelve-day window that suggests either recurring delivery attempts or multiple recipients clicking the same URL. The page does not harvest credentials through a form POST; the primary capture mechanism is social engineering to a telephone number — +1 (844) 950-5399 — displayed prominently in the fake chat widget, a blue "SmartScreen" modal, and a separate "Authentication Required" dialog, with the intent of routing the victim into a live vishing call where an operator extracts credentials, payment card data, or remote-access consent verbally.
Related subdomain variants:
A credential-harvesting page impersonating Microsoft 365 targeted a Florida organization, presenting a multi-stage username-then-password flow with full MFA interception across at least five sequential screens covering Authenticator app push approval, TOTP code entry, and SMS code entry. Activity was confined to June 16, 2026. Credential capture operates through obfuscated JavaScript loaded from two randomized-filename local scripts alongside a third file, with PHP-side configuration embedded directly in the page supplying a Base64-encoded final redirect to outlook.office.com and a 32-character random string that functions as a session or relay token, indicating the harvested credentials are relayed server-side through shirleysmasonry[.]blog, a compromised masonry contractor WordPress site pressed into service as the phishing host.
A credential-harvesting page impersonating the Greenvelope online invitation service, and secondarily spoofing Adobe Acrobat through its URL path, targeted a Minnesota organization by presenting a branded email-provider selector asking victims to authenticate with Outlook, Office 365, Yahoo, AOL, or a generic mail option. Activity was confined to June 16, 2026. The primary capture mechanism is a jQuery AJAX POST to processmail[.]php on the attacker-controlled domain mainwelviolive[.]one, which deliberately returns a success response on the first submission so the client-side logic can display an "Incorrect Password" message and prompt the victim to re-enter credentials, a double-submit technique that reliably harvests both a victim's first-attempt password and a corrected one. After the second submission the kit advances to an OTP interception stage, displaying a modal that instructs the victim to expect a one-time passcode on their phone and collecting that code via a second form POST to process[.]php, meaning the attacker is positioned to relay both the password and the MFA token in near real time. The Gmail button diverges from the modal flow and instead hardlinks directly to a separate path at mainwelviolive[.]one/mprom/gm, suggesting a distinct collection endpoint or redirect chain for Google accounts. The double-brand confusion — Greenvelope lure over an AcrobatN URL path — means the page can reach users who received either a document-share notification or an event invitation, and the OTP collection stage means account takeover can succeed even against users with MFA enabled.
A credential-harvesting page impersonating Amazon's sign-in portal targeted an Illinois organization, presenting a pixel-accurate replica of the Amazon authentication UI drawn entirely from inline base64-encoded assets embedded in the HTML. Activity was confined to June 15, 2026. The page renders a standard HTML form collecting Amazon username and password fields, with the credential submission path and POST target obscured within the truncated markup, though the page structure follows the conventional single-stage form-POST harvest model common to consumer brand phishing kits. The infrastructure routes through a cPanel-managed host at 20-97-195-63.cprapid[.]com, a pattern consistent with a compromised or low-cost shared hosting account where the attacker has provisioned a subdomain under the host provider's own namespace to lend the URL a veneer of legitimacy that a casual glance at the domain might not immediately dispel.
A credential-harvesting page impersonating Microsoft 365 sign-in targeted a Virginia organization, presenting a fully proxied reproduction of the Azure AD ConvergedSignIn flow under the attacker-controlled domain office.ofrecie[.]com. Activity was confined to June 12, 2026. The primary capture mechanism is an Adversary-in-the-Middle proxy: every functional URL in the page's $Config object — including the form POST target, the GetCredentialType endpoint, the session-state poller, and the password-reset redirects — is rewritten to pass through office.ofrecie[.]com, meaning the kit relays live Microsoft authentication traffic in real time rather than staging a static clone, which allows it to capture session tokens and MFA responses alongside the initial credential submission.
A credential-harvesting page impersonating Amazon's sign-in portal targeted an Illinois organization, presenting a pixel-accurate replica of the Amazon authentication flow rendered entirely from an inline base64-encoded logo and Amazon's own CSS class conventions. Activity was confined to June 12, 2026. The page presents a standard HTML form whose submission target and field names are not visible in the truncated markup, but the structure — a single email-and-password form styled to match Amazon's a-box layout system exactly — is consistent with a straightforward form POST to attacker-controlled infrastructure at 129-121-101-232.cpanel[.]site, a shared cPanel host operating under the subdomain chain primes.billes.amz.0auth, where the string "0auth" impersonates OAuth branding to add surface legitimacy to the URL. The URL carries a long base64-encoded ref parameter, a common technique for encoding victim-tracking identifiers or campaign tokens so that the landing page can pre-associate a submitted credential set with a specific target or mail delivery. For defenders, the subdomain construction is the sharpest signal: layering recognizable brand strings ("amz", "0auth") across multiple subdomain levels is designed to defeat casual URL inspection, and users trained to look only for "amazon" in a URL will find it — just not where the actual domain authority sits.
A tech-support-scam page impersonating Microsoft Support — complete with a fabricated SmartScreen alert, cascading "System Error" and "Security" pop-up dialogs, and a fake Windows Firewall authentication modal — targeted a Kentucky organization with the goal of driving victims to call a toll-free number rather than harvesting credentials through a form POST. Activity spanned the period from June 04, 2026 to June 12, 2026, accumulating 8 separate detections across that window, a pattern consistent with a link distributed in waves or forwarded internally among recipients in several organizations across California, Kentucky, Texas and Virginia. The primary capture mechanism is telephone-based: the page surfaces the number +1 (833)332-8505 in three distinct UI elements — a blue SmartScreen banner, an "Authentication Required" modal, and a fake Microsoft Support chat widget — ensuring the number is visible regardless of which overlay the victim focuses on, while all form inputs on the page carry the `disabled` attribute, meaning no credentials are collected in-browser and the exfiltration channel is entirely the phone call.
Related subdomain variants:
A credential-harvesting page impersonating a generic "Cloud Share" document portal targeted a Minnesota organization, presenting visitors with a login interface styled to evoke a legitimate cloud file-sharing service. Activity was confined to June 11, 2026. The primary capture mechanism is a form-backed credential submission flow consistent with a static phishing kit hosted at zyver[.]cfd, where the page title "Cloud Share" and a favicon reference to images/a_fav.png indicate a self-contained kit rather than a proxied or dynamically generated lure. The HTML includes an OTP popup layer — complete with a styled modal, an input field, and submit and cancel controls — meaning the kit is built to capture a second authentication factor after an initial credential submission, a two-stage harvest that would give an operator both a password and a one-time code in a single session.
A credential-harvesting page impersonating a generic Microsoft account sign-in portal targeted a Kentucky organization, presenting a standard "Sign in to your account" interface built on a stock Bootstrap 4 framework with no brand-specific customization beyond the page title. Activity was confined to June 10, 2026, with a single observed event suggesting a narrow or targeted delivery rather than a broad phishing blast. The page renders a full-viewport login form via Bootstrap's flexbox container layout, positioning the credential fields at the center of the screen to maximize visual focus on the input fields, and the form infrastructure present in the HTML is consistent with a client-side credential capture flow where submitted values are harvested before or during a POST action.
The absence of obfuscation, dynamic JavaScript exfiltration endpoints, or anti-analysis controls visible in the HTML indicates a low-complexity kit relying entirely on presentation fidelity rather than technical evasion, which means standard URL-reputation and content-inspection controls have a clear signal to act on. The hosting domain file.scalableflex[.]de belongs to Scaleflex, a legitimate European digital asset management platform, and placing the phishing page at a randomized path under a reputable service domain is the primary trust mechanism the operator is exploiting, since the parent domain carries a clean reputation that complicates URL-based blocking without path-level inspection.
A browser-locker page impersonating Windows Defender and Microsoft support targeted a Minnesota organization, presenting a fabricated antivirus scan reporting 1,200 "Identified_Threats" and demanding the victim call a toll-free number embedded in the URL parameter Anph, rendered as +1-806-626-7757 across multiple overlapping popup layers. Activity was confined to June 09, 2026. The page carries no credential-exfiltrating form POST to an attacker-controlled endpoint; the primary capture mechanism is the phone call itself, with the login-box form collecting what are labeled username and password fields but applying an input filter that restricts both to numeric characters, suggesting those fields exist to harvest account PINs or billing digits rather than text credentials.
Escape from the page is blocked by three stacked beforeunload and unload event listeners that each trigger a worker-bomb spawning up to one trillion Web Workers in an infinite loop, freezing the browser and making the fake "Leave site?" dialog the only visible exit, which reinforces the phone-call lure by leaving the victim with no clean way to close the tab. The analytics beacon registered to invoice-display[.]com via publytics[.]net, combined with the noindex,nofollow robots meta tag, indicates the operators are tracking victim arrivals while deliberately suppressing search-engine indexation, a pairing that keeps the page reachable through direct-send lure links while reducing exposure to crawler-based detection.
A credential-harvesting page impersonating Google targeted an Arizona organization, presenting victims with a password-entry form pre-filled with their email address beneath a Google logo pulled from a third-party vector asset host. Detections occurred on June 08, 2026 and June 09, 2026, totaling two observed events. The primary capture mechanism is a synchronous HTML form POST to success.php on the attacker-controlled domain pdfcloud[.]pw, meaning submitted passwords travel in plaintext to attacker infrastructure with no client-side JavaScript relay obscuring the endpoint. The pre-populated email label — drawn from the victim's own address — is the principal social engineering lever here: it signals to the target that the page already "knows" who they are, which suppresses the instinct to question legitimacy and mirrors the second step of a genuine Google sign-in flow.
A credential-harvesting page impersonating Amazon's sign-in flow targeted a Kentucky organization, presenting a password-entry stage pre-populated with the victim's email address to simulate a legitimate mid-session authentication prompt. Activity was confined to June 09, 2026, with a single detection recorded. Credentials are captured via a form POST to action.php on the attacker-controlled domain aetherix[.]click, while a secondary hidden form in the same page declares fields for LOGIN, USERNAME, PASSWORD, CARD_NUMBER, and PHONE_NUMBER, indicating the kit is built to harvest payment and identity data beyond the password the victim sees themselves entering. The visible text throughout the page — the page title, button labels, and footer links — is fragmented with zero-width, zero-height inline spans carrying random alphanumeric characters, a technique designed to break exact-string matching in email scanners and content-inspection tools that evaluate rendered text rather than parsing DOM structure.
A credential-harvesting page impersonating both Adobe and the Greenvelope invitation service targeted a Florida organization, presenting victims with a multi-provider login selector that accepted Outlook, Office 365, Yahoo, AOL, and generic email credentials through a single PHP relay kit. Activity was confined to June 07, 2026. The primary capture mechanism is a form POST to processmail.php on attacker-controlled infrastructure at vitirightoneviti[.]com, with credentials serialized via jQuery's form.serialize() and transmitted over AJAX before the page deliberately returns an "Incorrect Password" message on the first submission, forcing the victim to re-enter credentials and effectively doubling the harvest. After a second successful POST to the same endpoint, the kit transitions to a second PHP backend at process.php, where it presents a fabricated OTP entry modal complete with a countdown timer — a design that captures any multi-factor token the victim's legitimate provider has already dispatched to their phone.
A credential-harvesting page impersonating both Adobe Acrobat and the Greenvelope online invitation platform targeted a Minnesota organization, presenting victims with a multi-provider login portal that accepted credentials for Outlook, Office 365, Gmail, Yahoo, AOL, and generic email accounts. Activity was confined to June 07, 2026. The primary capture mechanism is a form POST to processmail.php on the attacker-controlled host check.gdevs[.]vu, with a second POST to process.php collecting OTP codes, meaning the kit is designed to harvest both the static password and any time-based one-time code the victim's provider sends as a second factor. The kit implements deliberate double-submission logic: on the first credential submit the server always returns success, the JavaScript interprets that as a valid response and then displays an "Incorrect Password" error to the victim, prompting a second submission so the attacker receives two password attempts before the victim grows suspicious.
A credential-harvesting page impersonating Microsoft's "Sign in to your account" login flow targeted an Illinois organization using a Bootstrap-framed form kit hosted on a German-registered domain. Activity was confined to June 05, 2026, with a single detection observed. The page renders a full-viewport sign-in form built on Bootstrap 4 with the page title "Sign in to your account," and while the HTML captured reflects a static credential-collection shell, the fragment identifier in the URL — the trailing `/#` — is a pattern associated with single-page application kits that route credential POST logic through JavaScript loaded after initial page render, making static inspection of the exfiltration endpoint incomplete from this capture alone.
The hosting domain `execsuccessmetrics[.]de` carries a `.de` TLD inconsistent with any plausible Microsoft infrastructure, and the subdomain `chicagodc` appears crafted to suggest a Chicago-area organizational context to a target likely familiar with that geography. A user who lands on this page sees a visually complete, unstyled-but-functional Microsoft login clone with no URL anomaly flagged by the browser chrome, meaning the primary friction point for detection sits with the domain itself rather than with anything the page visually betrays.
A credential-harvesting page impersonating Microsoft 365 targeted a Kentucky organization, rendering a genuine Microsoft authentication background image pulled from aadcdn.msauthimages[.]net to lend the page visual legitimacy while the underlying payload resided on the attacker-controlled domain frefriokea[.]sbs. Detections occurred on June 04, 2026, with two observed events recorded against the target. The page loads a large base64-encoded blob assigned to the variable jj, which is the obfuscated core of the kit and conceals both the credential-capture logic and the exfiltration endpoint from casual static inspection, meaning the actual form POST target or fetch destination cannot be confirmed without executing and decoding that payload. A clipboard-hijacking script intercepts any copy event outside of input fields and silently replaces the clipboard contents with the single character "v," a technique that disrupts a victim's ability to copy the URL or page source for manual inspection without producing any visible indication that tampering occurred.
Learn how PhishID can help protect your district from cutting-edge threats like these! Schedule a Demo