Between May 21, 2026 and June 03, 2026, our team analyzed ten distinct phishing campaigns targeting organizations across Kentucky, Nevada, Virginia, Illinois, and Washington, with activity spanning both credential harvesting and telephone-oriented attack delivery. Across the credential-harvesting cases, the dominant capture mechanisms were form POST to attacker-controlled PHP endpoints, client-side JavaScript relay over WebSocket connections, and double-submit flows that coerced a second credential entry before advancing victims to OTP collection; the two tech-support scareware cases bypassed credential capture entirely, relying on scripted chat widgets and browser-locking overlays to drive victims toward attacker-controlled phone numbers. Impersonated brands identified from on-page evidence included Microsoft 365, Microsoft Support, Azure AD, Outlook, Office 365, GoDaddy, Google, Yahoo, AOL, Adobe, and Greenvelope.
For hosting infrastructure, actors distributed their delivery surface across legitimate platform-as-a-service and cloud-storage providers — Heroku, Azure Static Web Apps, and Oracle Cloud object storage — alongside attacker-registered domains using low-trust TLDs such as .sbs, .cfd, and .com[.]es, with at least two campaigns routing delivery through paid advertising infrastructure on Google and Facebook, and one kit reusing the reliablebrand[.]de registrant identity across two separate incidents. The period's most technically notable pattern is the consistent abuse of trusted hosting providers and legitimate CDN assets to launder both the delivery URL and on-page visual fidelity, a combination that systematically degrades the signal value of URL-reputation controls at the perimeter. The presence of real-time exfiltration over WebSockets, live FIDO2 challenge reproduction in an AiTM-capable kit, and researcher-screening logic embedded in a scareware page collectively indicate actors investing in tradecraft that anticipates and specifically works around automated detection pipelines.
Domains Reviewed
- derckuin-03-003-8fe60fd563e6.herokuapp[.]com/?gad_source=5&gad_campaigni... (5 variants)
- viruswarning0603us3b5lwh.z13.web.core.windows[.]net/?utm_medium=paid&utm... (13 variants)
- frefriokea[.]sbs/f7aprqowdv?c96585ad01b0a2e-3ba9f9b8764c4f8bfc644ea654be...
- destinyrealtysolutigmions[.]cfd/Kx2A-sHaRe-85Rv94HmYktP5IFRvjxWnM1quWuzY...
- kshjfssd.reliablebrand[.]de/i7EDG/
- objectstorage.us-ashburn-1.oraclecloud[.]com/n/idhi4ea4t8if/b/documentou...
- log1nhzkivbmlfm6lwmkc3e0afpak7.portal.pacifcprime[.]com/e/RYXHHc1kmoJtIS... (5 variants)
- vvipip.com[.]es/mt/
- letmeviewtogethe.com[.]es/hlmgcr/wwki/paperlesscountdown/
- ovec.reliablebrandidentity[.]de/BUMW1/# (3 variants)
A tech-support scam page impersonating Microsoft Support — complete with a fabricated SmartScreen alert, cascading Windows-style error dialogs, and a live-chat widget — targeted a Kentucky and Texas organization with the goal of inducing a phone call to a fraudulent support number rather than capturing credentials through a form. Detections occurred on May 21, 2026, May 26, 2026, and June 03, 2026, totaling five observed events across that window, a spacing pattern consistent with repeated delivery to the same user population rather than a single blast. The campaign is hosted on Heroku's platform-as-a-service (derckuin-03-003-8fe60fd563e6[.]herokuapp[.]com) and was delivered through Google Ads infrastructure, as the URL parameters gad_source, gad_campaignid, and gclid confirm paid search placement — a delivery method that routes the lure through legitimate ad-click infrastructure, which makes URL-reputation and referrer-based detection substantially less reliable than it would be against a direct-link delivery.
Related subdomain variants:
- derckuin-03-003-8fe60fd563e6.herokuapp[.]com
- oimas-26-001-a8bdfe386803.herokuapp[.]com
- perpaidoi-oiukmn-002-8d6f8aa38627.herokuapp[.]com
A tech-support scareware page impersonating Microsoft Support — complete with a replica navigation bar, a "Welcome to Microsoft Support" hero section, and a cursor-disabled background — targeted a Florida, Georgia, Kentucky, Minnesota, and Texas organization by delivering a browser-based panic overlay designed to prompt a phone call to an attacker-controlled number. Activity was confined to the period from May 21, 2026 to June 03, 2026, spanning 13 separate detections, a duration consistent with a paid social campaign left running rather than a targeted one-off.
Related subdomain variants:
- viruswarning0521usjbrdoz.z13.web.core.windows[.]net
- viruswarning0522us3dnovo.z13.web.core.windows[.]net
- viruswarning0526usd57gvn.z13.web.core.windows[.]net
- viruswarning0526usuhnnet.z13.web.core.windows[.]net
- viruswarning0528us15pnmq.z13.web.core.windows[.]net
- viruswarning0528us2pcnv9.z13.web.core.windows[.]net
- viruswarning0601usbnont5.z13.web.core.windows[.]net
- viruswarning0601ustfueh4.z13.web.core.windows[.]net
- viruswarning0602usdgq1v7.z13.web.core.windows[.]net
- viruswarning0602use40erz.z13.web.core.windows[.]net
- viruswarning0602usq6vldp.z13.web.core.windows[.]net
- viruswarning0603us3b5lwh.z13.web.core.windows[.]net
A credential-harvesting page impersonating Microsoft's authentication portal targeted a Kentucky organization, pulling the legitimate Azure AD branding image directly from aadcdn.msauthimages[.]net to render a convincing login background while serving content from the attacker-registered domain frefriokea[.]sbs. Activity was confined to June 03, 2026, with a single observed event suggesting a targeted delivery rather than broad spray. The page body carries a large base64-encoded blob assigned to the variable sp, which is the obfuscated payload delivering the interactive phishing kit; this pattern is consistent with kits that decode and render the credential-capture form client-side to avoid static detection of the POST target or exfiltration endpoint.
A clipboard-hijacking script intercepts any copy event outside of input fields and silently replaces clipboard contents with the single character "y", a technique that disrupts a victim's ability to copy error messages, URLs, or page source for reporting or analysis. The combination of legitimate CDN asset abuse for visual fidelity and heavy client-side obfuscation means network-layer controls that inspect only the URL or the initial HTTP response will see a mostly empty HTML shell, placing the detection burden on endpoint tooling capable of evaluating decoded JavaScript at runtime.
A credential-harvesting page impersonating Microsoft 365 targeted a Nevada organization, walking victims through a multi-stage flow that collected username, password, and MFA tokens in sequence. Activity was confined to June 02, 2026. Credential capture is handled by a PHP relay kit whose obfuscated JavaScript — loaded across three randomized-name external scripts (5qNy4XXXrH1FU2h.js, yun7cABdYTmblCsi.js, and G2vsxrzTJkYuXLaNlp0.js) — receives form submissions for the username stage, the password stage, an authenticator app number-matching prompt, an SMS OTP field, and a TOTP code field, with all element IDs and function names randomized at build time and several key strings stored as base64 (the decoded value of prop_state_916 resolves to https://outlook[.]office[.]com, the intended post-capture redirect).
The page pre-populates the victim's email address directly in the HTML at window.var_info_223, meaning the link delivered to the target already contained enough context for the kit to skip the username-guessing phase and land the victim immediately on the password prompt — a pattern that signals the actor had a validated email list before deployment. The hosting domain destinyrealtysolutigmions[.]cfd uses a deliberate misspelling padded with extra characters alongside a low-trust .cfd TLD, and the page employs several anti-analysis measures including disabled right-click and text selection, a five-second minimum loading delay before content renders, and a bot-detection library (PageValidator) that gates content display — collectively making the page less useful to automated scanners and more likely to reach a human target in a usable state.
A credential-harvesting page impersonating both Microsoft 365 and GoDaddy targeted a Washington organization, presenting a "Sharing Link Validation" lure designed to extract account passwords through a form submission flow. Activity was confined to June 01, 2026. The page renders a Microsoft-branded sharing portal — complete with the ms-Fabric component library, Segoe UI typography, and the characteristic #0078d7 blue banner — layered over a GoDaddy login panel surfaced inside a `#sections_godaddy` container, meaning the victim encounters what appears to be a Microsoft file-share prompt that resolves into a GoDaddy password form, with credentials submitted via that form's POST mechanism.
The infrastructure is hosted on reliablebrand[.]de, a domain whose registrar-branded name lends it superficial legitimacy while placing the collection endpoint outside either impersonated brand's actual infrastructure. The dual-brand construction — Microsoft framing to justify the file-share pretext, GoDaddy form to harvest the actual credential — is the detail that shapes detection: email security controls filtering on Microsoft-themed lures alone would miss the GoDaddy password field, and users trained to verify the Microsoft logo would still be facing a live credential form targeting a different account entirely.
A credential-harvesting page impersonating Microsoft 365 targeted a Nevada organization, delivering a fake sign-in form hosted on Oracle Cloud Infrastructure object storage and pulling supporting assets from an attacker-controlled domain at fmzmdul5vh.sunzpq[.]com. Activity was confined to May 28, 2026. The page extracts the victim's email address from the URL query parameter `e` — in this case `jvallerie@washoeschools.net` — writes it as an attribute on the document root element, and loads socket.io 4.7.5 from the Cloudflare CDN, indicating that credential submission is relayed in real time over a WebSocket connection to attacker infrastructure rather than through a conventional form POST.
A `<base>` tag pointing to fmzmdul5vh.sunzpq[.]com resolves all relative asset paths — including the favicon — through that same attacker-controlled host, which also serves as the likely WebSocket endpoint for data exfiltration. The pre-population of the victim's address in the page eliminates the email-entry step that would otherwise prompt a careful user to pause, and the use of Oracle Cloud object storage as the delivery URL gives the lure a domain with established reputation, which undermines URL-reputation controls that might otherwise catch it at the mail gateway or proxy.
A credential-harvesting page impersonating the Microsoft 365 sign-in experience targeted a Kentucky organization, presenting a pixel-accurate replica of the Azure AD ConvergedSignIn flow — including functional sign-up, password reset, and GitHub federation paths — all hosted under the attacker-controlled wildcard domain portal.pacifcprime[.]com. Detections occurred on May 26, 2026, May 27, 2026, and May 28, 2026, totaling five separate events across a three-day window that suggests deliberate, sustained delivery rather than a single automated blast. Credential submission is handled by a form POST to https://log1nhzkivbmlfm6lwmkc3e0afpak7.portal.pacifcprime[.]com/common/login, a route that mirrors Microsoft's own /common/login endpoint naming convention and is wired throughout the page's $Config JSON as both urlPost and urlPostAad, meaning the kit captures the username-password pair before any real Microsoft server is ever contacted.
The page also generates a live FIDO2 challenge token (sFidoChallenge) signed with a JWT from login.microsoft[.]com and reproduces Microsoft's full session-state machinery — including flow tokens, canary tokens, nonce values, and a functional GetCredentialType API path — giving the kit the ability to walk a victim through multi-step authentication prompts, including MFA, while the attacker collects each response in sequence. For defenders, the operative implication is that the page's fidelity extends well past visual mimicry into behavioral mimicry: a user who has internalized what legitimate Microsoft login prompts look like will find nothing visually out of place, and the authentication flow will complete normally from the user's perspective, making URL inspection the only reliable in-session signal.
A credential-harvesting page impersonating Greenvelope — a legitimate online invitation service — targeted a Virginia organization, using a multi-provider email login lure to harvest credentials for Outlook, Office 365, Yahoo, Gmail, AOL, and generic mail accounts from a single landing page hosted at vvipip[.]com.es. Activity was confined to May 26, 2026. Credentials are collected in two discrete stages: a form POST to processmail.php on the same attacker-controlled host captures the email address and password first, then the JavaScript intentionally returns an "Incorrect Password" message on the initial submission and re-submits the same credentials on a second attempt before advancing the victim to an OTP capture modal that POSTs a six-digit code to process.php, giving the operator both the account password and the MFA token in sequence.
The double-submit pattern is a deliberate design choice: by telling the victim their password is wrong, the kit coerces a second submission that confirms the credential is typed correctly rather than miskeyed, while the subsequent OTP flow — complete with a countdown timer and a "We've sent a code to your phone" message — is timed to pressure the victim into entering a code that the operator can use in real time against the actual service. The Gmail button is handled differently from the others: it bypasses the on-page modal entirely and redirects through a separate domain, partysinvitation[.]de, pointing to an accounts.google path, which suggests a second host in the infrastructure rather than a unified kit. Defenders should note that the "Incorrect Password" error is baked into the JavaScript response handler regardless of what credentials are submitted, meaning a victim who sees that message has already surrendered their password and is one step from surrendering their MFA token.
A credential-harvesting page impersonating both Adobe and Greenvelope (an online invitation service) targeted an Illinois organization, presenting a multi-provider email login portal that collected credentials for Outlook, Office 365, Yahoo, AOL, and generic mail accounts behind a blurred background image styled to suggest a pending invitation. Activity was confined to May 26, 2026, with a single observed event. The primary capture mechanism is a form POST to processmail.php on the same attacker-controlled host, letmeviewtogethe[.]com.es, with a second POST stage to process.php that captures any OTP the victim receives after submitting credentials.
The kit deliberately forces a first-submission failure by returning "Incorrect Password" regardless of what the user enters, a double-submit pattern that coerces victims into re-entering credentials and increases the likelihood of capturing a correct password before advancing to the OTP collection stage. The fake countdown timer in the OTP modal, ticking from five minutes, applies time pressure designed to prevent the victim from pausing to question the flow. For defenders, the compounding of brand confusion (Adobe branding layered over a Greenvelope lure), the double-submit error, and a live OTP harvest mean that a successful interaction can yield valid credentials plus a usable second factor within a single session.
A credential-harvesting page impersonating a generic Microsoft account sign-in portal targeted a Kentucky organization, presenting a standard username-and-password form under the browser title "Sign in to your account" with no brand-specific imagery recoverable from the HTML alone. Activity was confined to May 22, 2026, across 3 observed events. The page is built on a stock Bootstrap 4 layout and collects credentials through an HTML form whose submission behavior is defined in JavaScript not present in the truncated source, meaning the exfiltration endpoint — whether a direct POST to an attacker-controlled script or a fetch-based relay — could not be confirmed from the markup, though the form fields and submit scaffolding are fully rendered and functional.
The hosting domain reliablebrandidentity[.]de presents a plausible-sounding registrant identity as the second-level domain while burying the phishing path under a short opaque directory segment and a fragment identifier, a structure consistent with shared or compromised hosting where the operator controls only a subdirectory. The fragment anchor appended to the URL serves no functional role in the page load itself and is a common technique for defeating URL-based detections that treat the full path as a signature, since scanners that strip or ignore fragments will log a different string than the one delivered to the victim's browser.
Recommendations
- Deploy phishing-resistant MFA (FIDO2/passkeys) and retire TOTP and SMS OTP as sole second factors for any externally accessible Microsoft 365 or email service; incidents at destinyrealtysolutigmions[.]cfd, vvipip[.]com.es, letmeviewtogethe[.]com.es, and portal.pacifcprime[.]com all demonstrate full AiTM or sequential-harvest kits that collect TOTP codes and SMS tokens in real time within the same session, meaning time-based codes are operationally useless against these flows once a user is on the page.
- Configure proxy or DNS security controls to alert — not blindly block — on Microsoft 365 login flows where the page origin is not login.microsoftonline[.]com or login.microsoft[.]com; portal.pacifcprime[.]com reproduced Microsoft's full /common/login route, flow tokens, canary tokens, and GetCredentialType API paths under an attacker-controlled wildcard domain, meaning the only reliable in-session signal for users and inline controls is the URL itself.
- Instrument endpoint or browser-isolation tooling to flag pages that programmatically disable the cursor (cursor: none on the root element), suppress right-click and text selection, or apply pointer-events overlays across the full viewport; incidents at z13.web.core.windows[.]net and frefriokea[.]sbs used exactly these behaviors to prevent victims from inspecting or reporting the page, and those signals are detectable at the browser layer even when no credential POST occurs.
- Add detection logic for WebSocket-based credential exfiltration — specifically socket.io library loads followed by connections to non-Microsoft third-party hosts during a Microsoft-branded login flow; the oraclecloud[.]com incident relayed credentials in real time over a WebSocket to fmzmdul5vh.sunzpq[.]com rather than through a conventional form POST, a channel that perimeter controls tuned to catch HTTP form submissions will miss entirely.
- Train users on the specific double-submission failure pattern observed in vvipip[.]com.es and letmeviewtogethe[.]com.es: if a login page returns "Incorrect Password" on the first attempt and immediately prompts them to try again before showing an OTP field, their password has already been captured; the correct response is to close the browser, not re-enter credentials, and to treat any subsequent unsolicited OTP code as confirmation of an active account-takeover attempt.
- Apply URL-reputation monitoring with elevated scrutiny to paid-search and paid-social referrers (gad_source, gclid, fbclid, utm_source=fb parameters); both the herokuapp[.]com and z13.web.core.windows[.]net campaigns were delivered through Google Ads and Facebook's paid advertising infrastructure respectively, routing lures through ad-click redirectors that carry inherent trust signals and cause referrer-based and URL-reputation controls to undercount risk at delivery time.
- Flag and queue for analyst review any externally delivered link whose full URL contains a fragment identifier (# anchor) appended to a path on a newly registered or low-reputation domain; the reliablebrandidentity[.]de infrastructure used a fragment anchor that serves no functional page-load purpose but causes URL-scanning tools that strip or normalize fragments to log a different string than the one reaching the victim's browser, a deliberate evasion of signature-based detection at the mail gateway and proxy layer.
Learn how PhishID can help protect your district from cutting-edge threats like these! Schedule a Demo
