Between February 26, 2026 and March 11, 2026, analysts identified a significant shift toward sophisticated social engineering campaigns, with the majority of incidents employing tech support scams that bypass traditional credential harvesting in favor of phone-based fraud operations. A notable pattern emerged across multiple incidents utilizing Microsoft Azure hosting infrastructure (z13.web.core.windows.net) combined with legitimate services like Tawk.to chat widgets to create convincing Microsoft Support impersonation pages that display fabricated system errors ("Memory access violation," "Password required for System32") and security alerts to pressure victims into calling scammer phone numbers rather than submitting credentials through web forms.
Advanced multi-stage credential harvesting operations targeting Microsoft, Adobe, Google, and Roblox services demonstrated increasing sophistication through JavaScript-based exfiltration, real-time MFA token collection, anti-bot detection measures, and deliberate "incorrect password" errors designed to enhance credibility during the authentication bypass process. The campaign infrastructure showed strategic diversity, ranging from compromised legitimate domains and Azure static web apps to suspicious disposable domains and CDN-hosted proxy services, with attackers increasingly leveraging legitimate cloud platforms to evade detection while maintaining operational reliability. Emerging threats included advanced proxy-based phishing environments that create fully functional clones of target services and callback phishing (vishing) operations that combine visual deception with human-operated phone-based social engineering to maximize credential theft success rates.
On March 11, 2026, an employee at a Texas organization clicked the below phishing page.
This is a sophisticated tech support scam that does not actually capture credentials through traditional forms, but instead uses multiple social engineering layers to drive victims toward phone-based fraud. The page employs extensive visual deception with a convincing Microsoft Support interface, fake system error popups scattered across the screen ("Memory access violation at 0x88412"), fake security warnings about "Trojan Horse" infections, and multiple prominent displays of the scam phone number "+1 (844) 830-0552".
The site is hosted on Azure's web.core.windows.net platform and integrates Tawk.to live chat functionality, while using disabled form inputs and non-functional buttons to frustrate victims into calling the provided number instead of attempting self-service. This represents a moderately sophisticated approach that combines brand impersonation, fake system alerts, and psychological pressure tactics, with the notable technique of using legitimate cloud infrastructure (Azure) to appear more trustworthy while avoiding traditional credential harvesting in favor of direct phone-based social engineering.
On March 11, 2026, an employee at a Texas organization clicked the below phishing page.
This phishing page primarily uses social engineering rather than credential capture, employing a tech support scam that displays fake security alerts claiming "anomalous activity detected" and "Session blocked for your security" while prominently featuring the phone number +1 (844) 830-0552 throughout multiple fake modal windows and a chat interface. The page utilizes legitimate Azure hosting (z13.web.core.windows.net) and incorporates sophisticated visual deception techniques including multiple overlapping fake Windows security dialogs with messages like "Password required for System32" and "Memory access violation," a realistic Microsoft Support chat widget powered by Tawk.to, and disabled form inputs that prevent actual credential submission while maintaining the illusion of functionality.
The sophistication is moderate to advanced given the comprehensive UI mimicry, strategic use of urgency tactics ("Call immediately for emergency data security"), and the integration of real chat functionality to engage victims, though the ultimate goal appears to be phone-based social engineering rather than automated credential theft. The page notably includes complex tracking parameters in the URL suggesting targeted delivery through advertising networks (Taboola referral with Branch.io tracking), and the cursor is programmatically disabled throughout the interface to prevent normal user interaction while forcing focus on the phone number.
Additional similar attacks were clicked:
On March 11, 2026, an employee at a Texas organization clicked the below phishing page.
This phishing page does not contain any functional credential capture mechanism - all input fields are disabled and there are no form submissions, fetch requests, or JavaScript exfiltration methods present in the code. The primary TTP is social engineering through a fake Microsoft Support interface that displays multiple fake system error popups ("Memory access violation at 0x88412" and "Password required for System32"), creates artificial urgency with messages about "anomalous activity detected" and "session blocked for your security," and prominently displays a phone number (+1 844-830-0552) for victims to call.
The page is hosted on Microsoft Azure (z13.web.core.windows.net) and integrates Tawk.to live chat functionality, suggesting this is a tech support scam designed to convince victims to call the provided number rather than capture credentials directly through the webpage. The sophistication is moderate due to the convincing Microsoft branding and multiple layered fake security alerts, but the lack of any actual credential harvesting functionality indicates this is purely a social engineering vector to initiate phone-based fraud.
On March 11, 2026, an employee at a Georgia organization clicked the below phishing page.
This phishing page employs social engineering through fake Windows security alerts and pop-ups rather than traditional credential capture, using extensive Microsoft brand impersonation with authentic-looking logos, colors, and UI elements to create a fake Microsoft Support interface. The primary technique is phone-based fraud, prominently displaying "+1 (844) 830-0212" multiple times across fake chat windows, security warnings, and modal dialogs that simulate system errors like "Memory access violation" and "Password required for System32" to create urgency.
The page is hosted on Microsoft Azure (z13.web.core.windows.net) and integrates Tawk.to live chat functionality, suggesting attackers may engage victims in real-time conversations to enhance credibility. This represents a moderate sophistication tech support scam that combines visual deception with multiple overlapping fake security alerts, disabled form inputs to prevent actual credential submission, and uses the victim's trust in Microsoft's legitimate infrastructure to appear more authentic.
Additional similar attacks were clicked:
On March 11, 2026, an employee at a Texas organization clicked the below phishing page.
This phishing page uses a sophisticated multi-layered social engineering approach that primarily relies on phone-based credential collection rather than traditional form submission, with victims directed to call +1 (844) 830-0212 for "emergency data security" through fake Microsoft Support chat windows and authentication dialogs. The page employs advanced visual manipulation techniques including multiple overlapping fake Windows error popups ("Memory access violation", "Password required for System32"), a convincing Microsoft Support interface replica with disabled input fields to force phone contact, and integrated Tawk.to live chat functionality to appear legitimate.
Hosted on Azure's web.core.windows.net infrastructure with complex URL parameters suggesting traffic distribution through Taboola advertising networks, the page demonstrates high sophistication through its realistic Windows UI mimicry, strategic use of urgency messaging ("anomalous activity detected", "Session blocked for your security"), and the clever approach of bypassing traditional web-based credential capture by directing victims to voice-based social engineering where attackers can harvest credentials, remote access permissions, and financial information through direct phone interaction.
On March 10, 2026, an employee at a Texas organization clicked the below phishing page.
This appears to be a tech support scammer page that doesn't actually capture credentials through traditional forms, but instead uses social engineering to direct victims to call the prominently displayed phone number +1 (855) 921-4515 for voice-based credential harvesting. The page employs sophisticated visual deception tactics including a convincing Microsoft Support interface replica, multiple fake system error popups positioned across the screen ("Security" and "System Error" dialogs), a simulated chat support widget with pre-scripted messages claiming "anomalous activity detected," and disabled input fields that prevent actual interaction while maintaining the illusion of functionality.
Hosted on Microsoft Azure (z13.web.core.windows.net), the site integrates Tawk.to chat services and uses the legitimate hosting to appear trustworthy, while the complex CSS animations and multiple layered modal dialogs create a sense of urgency and system compromise. The sophistication level is moderate to advanced due to the detailed UI replication and multi-layered social engineering approach, though the lack of actual credential capture forms suggests this is primarily a "vishing" (voice phishing) operation designed to convince victims their computer is compromised and they need immediate phone support.
On March 10, 2026, an employee at a Texas organization clicked the below phishing page.
This is a sophisticated tech support scam that does not capture credentials through traditional forms but instead uses social engineering to trick victims into calling a fake Microsoft support number (+1-855-921-4515). The page employs multiple advanced social engineering tactics including fake Windows error popups scattered across the screen ("Memory access violation at 0x88412", "Password required for System32"), a convincing Microsoft Support chat interface with fabricated security alerts claiming "anomalous activity detected from your IP", and multiple overlay modal dialogs warning of "Trojan Horse" infections and firewall blocks.
The site is hosted on Azure Static Web Apps (z13.web.core.windows.net) and incorporates legitimate Tawk.to chat functionality alongside sophisticated Microsoft UI mimicry using Segoe UI fonts and authentic-looking branding. The sophistication level is advanced due to the realistic Windows interface replication, multiple layered deception elements, and the strategic use of urgency-inducing security warnings designed to panic users into calling the scammer's phone number rather than attempting traditional credential theft.
On March 09, 2026, an employee at a Washington organization clicked the below phishing page.
This phishing page does not contain any actual credential capture mechanisms - all form inputs are disabled and there are no POST endpoints, fetch requests, or JavaScript exfiltration functions in the code. Instead, it employs sophisticated social engineering tactics including fake Windows error popups with fabricated "Memory access violation" and "System32 password required" messages, multiple overlapping modal dialogs to simulate system compromise, and brand impersonation of Microsoft Support with accurate visual styling.
The site is hosted on legitimate Azure blob storage (z13.web.core.windows.net) and integrates Tawk.to live chat functionality, directing victims to call the scam number +1 (844) 505-0602 rather than capturing credentials directly. The sophistication level is moderate due to the realistic Windows UI recreation and psychological manipulation through simulated system errors, but technically it's a basic phone scam operation with no actual data collection capabilities.
On March 09, 2026, an employee at a Texas organization clicked the below phishing page.
This phishing page is a sophisticated tech support scam that does not appear to directly capture credentials through forms, but instead uses multiple visual manipulation techniques to drive victims to call a fraudulent phone number (+1-844-505-0602). The page employs advanced social engineering tactics including fake Microsoft branding, simulated system error popups scattered across the screen showing "Memory access violation at 0x88412" and "Password required for System32", a fake chat widget claiming to detect "anomalous activity" and "unrecognized login" from the victim's IP address, and multiple modal overlays warning of "Trojan Horse" infections and "SmartScreen" blocks.
The site is hosted on Microsoft Azure (z13.web.core.windows.net) and integrates legitimate Tawk.to chat services to appear more credible, while using disabled input fields and non-functional buttons to prevent interaction and force victims toward the phone-based social engineering attack vector. The sophistication level is high due to the realistic Microsoft interface replication, multiple layered deception elements, and the strategic use of legitimate cloud infrastructure to evade detection, representing a modern callback phishing approach rather than traditional credential harvesting.
Additional similar attacks were clicked:
On March 09, 2026, an employee at a California organization clicked the below phishing page.
This phishing page uses a standard HTML form POST method to capture credentials through "processmail.php", implementing a multi-stage credential collection process that first accepts any email/password combination, displays a fake "Incorrect Password" error on the first attempt, then proceeds to collect the same credentials again before advancing to an OTP collection phase via "process.php". The page employs sophisticated social engineering tactics including brand impersonation of Greenvelope (an actual invitation service), Adobe logos, and multiple email provider options (Outlook, Office365, Yahoo, Gmail, AOL), while creating urgency through fake invitation access requirements and visual legitimacy with animated confetti effects and professional styling.
The site is hosted on the suspicious "jebx.life" domain and uses Cloudflare services for content delivery and bot protection, with the infrastructure showing signs of deliberate hosting choices rather than compromised legitimate services. The sophistication level is moderate, featuring a well-designed two-factor authentication simulation with countdown timers and loading animations, though the actual credential exfiltration relies on basic form submissions rather than advanced JavaScript-based techniques, and notably the Gmail button redirects to a different subdomain (jebx.life/m/accounts.google) suggesting a separate credential harvesting endpoint.
On March 09, 2026, an employee at a Kentucky organization clicked the below phishing page.
This appears to be a sophisticated tech support scammer page that doesn't actually capture credentials through traditional forms, but instead uses social engineering to trick victims into calling +1 (844) 505-0602. The page employs multiple advanced evasion techniques including Microsoft brand impersonation with authentic-looking logos and styling, fake security alerts claiming "anomalous activity detected" and "Trojan Horse" infections, and dynamic pop-up notifications simulating Windows security warnings and system errors to create urgency.
The site is hosted on legitimate Azure infrastructure (w9what09nw3w0602c018.z13.web.core.windows.net) and integrates Tawk.to live chat functionality, while using disabled input fields in fake login forms to prevent actual credential submission and instead drive victims toward phone-based social engineering. The sophistication level is advanced due to the realistic Microsoft interface replication, multiple layered fake security notifications, and the strategic use of legitimate cloud hosting to avoid detection, representing a phone-based scam operation rather than traditional credential harvesting.
On March 06, 2026, an employee at a Minnesota organization clicked the below phishing page.
This phishing page uses a multi-stage credential capture technique with form POST submissions to "processmail.php" for initial credentials and "process.php" for OTP collection, implementing a sophisticated two-factor authentication bypass attempt. The site employs Adobe document access impersonation as social engineering bait, offering multiple email provider options (Outlook, Office365, Yahoo, AOL) with corresponding logos to increase credibility, and includes a deliberate "Incorrect Password" error message on first submission to trick users into re-entering credentials thinking they made a typo.
The infrastructure uses the suspicious domain "punch-invitesbolw.im" with Cloudflare services (evident from the beacon script), and the JavaScript implements AJAX-based credential submission with loading animations to appear legitimate. The sophistication level is moderate-to-advanced due to the multi-stage collection, MFA token harvesting, realistic error simulation, and professional UI design that closely mimics legitimate Adobe document sharing workflows.
On March 05, 2026, an employee at a Kentucky organization clicked the below phishing page.
This phishing page uses JavaScript-based credential exfiltration through a polymorphic module system that dynamically loads authentication handling code from "js/module.php" with security tokens, rather than traditional form POST submission. The page implements sophisticated multi-stage credential collection mimicking Microsoft's authentication flow, collecting username, password, and various 2FA methods (SMS codes, authenticator app verification, push notifications) across multiple realistic-looking sections with proper visual transitions and loading animations.
Notable evasion techniques include extensive CSS class name obfuscation with randomized identifiers, anti-bot honeypot fields, disabled right-click and text selection, plus bot detection modules that likely validate credentials in real-time against legitimate Microsoft services. The infrastructure appears to use a compromised or malicious server (haematogenesis.threshk.com) with a sophisticated phishing kit that includes base64-encoded configuration data and maintains session state across the multi-step authentication process, representing an advanced-level operation that closely replicates legitimate Microsoft login experiences.
On March 03, 2026, an employee at a Kentucky organization clicked the below phishing page.
This is a sophisticated multi-stage credential harvesting operation that captures credentials through JavaScript form submission to a dynamically loaded endpoint (js/module.php), implementing a complete Microsoft 365 authentication flow with email/password collection, MFA bypass attempts (authenticator app codes, SMS verification), and real-time validation. The page employs several evasion techniques including bot detection modules (js/bot-detection.js), honeypot fields with the class "a_container_257" positioned off-screen, anti-inspection protection through disabled right-click and text selection, and base64-encoded configuration data in the JavaScript variables. This represents an advanced sophistication level due to its comprehensive MFA bypass capabilities, anti-bot measures, and realistic authentication flow simulation that closely mimics legitimate Microsoft 365 sign-in procedures.
Additional similar attacks were clicked:
On March 02, 2026, an employee at a Minnesota organization clicked the below phishing page.
This phishing page uses a basic HTML form POST submission to "inc/chk.php" for credential capture, indicating a straightforward server-side collection method rather than sophisticated JavaScript exfiltration. The page employs Microsoft SharePoint impersonation with authentic-looking SharePoint Online branding and UI elements to establish credibility, along with social engineering tactics including urgency messaging ("invitation" context) and professional styling using Bootstrap CSS framework.
The infrastructure appears to be hosted on a suspicious domain "uxavo.sbs" which is likely a disposable or compromised hosting service, and the page includes standard evasion techniques such as a content security policy and referrer meta tag set to "no-referrer" to limit tracking. The sophistication level is basic to moderate, representing a typical credential harvesting operation that relies primarily on visual deception and brand impersonation rather than advanced technical measures, though the clean professional appearance and proper form structure suggest some effort was made to avoid detection by security filters.
On March 02, 2026, an employee at a Illinois organization clicked the below phishing page.
This phishing page does not contain any actual credential capture mechanisms - all input fields are disabled and there are no form submissions, JavaScript exfiltration methods, or data collection endpoints present in the code. The primary TTP is social engineering through fake system error popups claiming "Memory access violation" and "Password required for System32" combined with urgency tactics displaying a prominent phone number "+1 (844) 505-0415" throughout multiple modal windows and a fake Microsoft Support chat interface.
The page is hosted on Azure Blob Storage (web.core.windows.net) and includes sophisticated visual deception with authentic Microsoft branding, cascading fake Windows error dialogs, and a convincing support chat widget powered by Tawk.to, but represents a tech support scam rather than traditional credential phishing since it relies entirely on phone-based social engineering rather than digital credential theft. The sophistication is moderate due to the realistic Microsoft interface replication and multiple overlapping deception layers, but it lacks any actual technical credential harvesting capabilities.
On March 02, 2026, an employee at a Illinois organization clicked the below phishing page.
This phishing page implements a multi-stage credential capture system that initially submits login credentials via AJAX POST to "processmail.php" and then collects OTP tokens through a second form posting to "process.php". The attack employs sophisticated social engineering by impersonating Adobe/Greenvelope invitation services with multiple email provider options (Outlook, Office365, Yahoo, AOL), includes visual deception through confetti animations and branded logos, and uses a deliberate "incorrect password" error message on first submission to make victims retry with their actual credentials.
The page appears to be hosted on a compromised legitimate domain (traveler.com.gt) based on the suspicious nested directory structure "/read_me_envelope/AcrobatN/", and implements a realistic 5-minute countdown timer for OTP entry to create urgency. The sophistication level is moderate to advanced due to the multi-stage collection process, realistic UI/UX design, AJAX-based credential exfiltration, and the combination of both password and MFA token harvesting in a seamless user experience.
On March 02, 2026, an employee at a Texas organization clicked the below phishing page.
This is a sophisticated tech support scam that uses multiple psychological manipulation tactics rather than traditional credential harvesting forms. The page displays fake Microsoft branding with multiple overlapping error dialogs claiming "Memory access violation at 0x88412" and "Password required for System32" to create urgency, while prominently featuring the phone number "+1 (844) 505-0415" in multiple locations including a fake chat widget and security alerts.
The site is hosted on Azure (z13.web.core.windows.net) and includes Tawk.to live chat integration, fake Windows SmartScreen warnings claiming "Trojan Horse" infections, and disabled input fields to prevent user interaction while forcing phone contact. The sophistication is moderate to advanced due to the comprehensive visual deception with authentic-looking Microsoft UI elements, multiple layered fake system alerts positioned across the screen, and the integration of legitimate chat services to appear more credible, though it relies on social engineering rather than technical credential capture methods.
On March 02, 2026, an employee at a Georgia organization clicked the below phishing page.
This phishing page does not contain any actual credential capture mechanisms - all form inputs are disabled and there are no POST endpoints, JavaScript exfiltration methods, or data collection scripts present in the code. The page employs sophisticated social engineering tactics including fake Microsoft branding, multiple simulated system error dialogs ("Memory access violation at 0x88412" and "Password required for System32"), a convincing Microsoft Support chat interface showing fake security alerts, and urgent messaging claiming "anomalous activity detected" with repeated emphasis on calling +1 (844) 505-0415 immediately for "emergency data security."
The site is hosted on Azure (web.core.windows.net) and integrates legitimate Tawk.to chat services to enhance credibility, while using multiple overlapping modal dialogs and Windows-style error messages to create a sense of system compromise and urgency. This represents a moderate sophistication voice/callback phishing operation (vishing) rather than traditional credential harvesting, designed to pressure victims into calling the fake support number where human operators would likely attempt to extract sensitive information or gain remote access to systems.
On March 01, 2026, an employee at a Florida organization clicked the below phishing page.
This appears to be a sophisticated phishing page that uses URL encoding/obfuscation through what looks like an Ultraviolet proxy service (classroomweb67123.b-cdn.net) to create a convincing Roblox clone, with all legitimate Roblox URLs being systematically rewritten through the proxy using encoded paths like "hvtrs8%2F-wuw%2Crmbnoz.aoo" (decodes to "https://www.roblox.com"). The page implements comprehensive brand impersonation by preserving authentic Roblox metadata, CSS styling, JavaScript bundles, and even maintains proper social media tags and SEO elements to appear legitimate, while the actual credential capture mechanism would likely occur when users attempt to log in through the proxied authentication forms that would POST to the attacker-controlled proxy rather than legitimate Roblox servers.
The infrastructure leverages CDN hosting (b-cdn.net) combined with proxy obfuscation to evade detection, and includes sophisticated elements like machine ID tracking ("c36649fd-1bae-a20b-fbc3-a8d4981abb59"), Google Analytics integration, and complete preservation of Roblox's complex application architecture including Angular framework components. This represents an advanced-level attack that goes beyond simple form cloning to create a fully functional proxy-based phishing environment that could capture not just credentials but potentially session tokens and other authentication data in real-time.
On February 27, 2026, an employee at a Washington organization clicked the below phishing page.
This is a sophisticated technical support scam that does not actually capture credentials through traditional forms, but instead relies entirely on social engineering to trick victims into calling the prominent phone number "+1 (844) 505-0249" displayed throughout multiple fake security alerts and chat interfaces. The page uses advanced visual deception techniques including a convincing Microsoft Support interface replica, multiple overlapping fake system error popups ("Memory access violation at 0x88412", "Password required for System32"), a simulated live chat widget with Tawk.to integration, and disabled input fields that prevent user interaction while maintaining visual authenticity.
Hosted on legitimate Azure infrastructure (z13.web.core.windows.net), the scam employs high sophistication through cursor manipulation (cursor-none styling), realistic Windows UI elements with proper Segoe UI fonts, animated progress indicators, and carefully positioned modal overlays that simulate a genuine system compromise scenario. The technique is particularly notable for avoiding traditional credential harvesting entirely, instead using pure psychological manipulation through fake urgency ("Session blocked for your security", "SmartScreen - Preventive Block") to drive victims toward phone-based social engineering where the real credential theft likely occurs.
On February 27, 2026, an employee at a Virginia organization clicked the below phishing page.
This is a sophisticated tech support scam that does not contain actual credential capture forms but instead relies entirely on social engineering to trick victims into calling the fake support number +1 (844) 505-0249. The page impersonates Microsoft Support with fake system error popups, security warnings about "Memory access violation at 0x88412" and "Password required for System32," and includes a convincing chat widget showing fake security alerts about "anomalous activity detected from your IP" and "unrecognized login" attempts.
The site is hosted on Azure (z13.web.core.windows.net) and uses Tawk.to chat integration for legitimacy, while employing multiple overlapping popup dialogs and disabled form fields to create urgency and prevent user interaction beyond calling the provided phone number. The sophistication is moderate, focusing on visual deception and brand impersonation rather than technical credential theft, with the primary goal being to initiate voice-based social engineering through the prominently displayed phone number.
On February 26, 2026, an employee at a Minnesota organization clicked the below phishing page.
This phishing page uses a multi-stage credential capture technique that initially submits email/password combinations via AJAX POST to "processmail.php", then deliberately displays an "Incorrect Password" error on the first attempt to enhance credibility before proceeding to collect OTP codes through a second form that posts to "process.php". The campaign impersonates Adobe and Greenvelope invitation services while spoofing multiple major email providers (Outlook, Office365, Yahoo, AOL) through a single interface, using professional branding with blurred background images and legitimate-looking modal dialogs to build trust.
The page employs JavaScript-based form handling with multi-stage validation logic, countdown timers for OTP entry, and loading animations to simulate real authentication processes, while the domain uses an extremely long randomized subdirectory structure ("ewdfrgthyjunbvgcfxdsweawqzxcdfvgbhnjmkoplmtrfedwqbvgfd.net/ezwsdfrgb/erfghbnjk/paperlesscountdown/") likely for evasion purposes. This represents a moderate sophistication level with its two-stage credential harvesting, MFA token collection, and convincing UI design that mimics legitimate authentication flows, though it relies on basic PHP backend processing rather than advanced real-time validation techniques.
Learn how PhishID can help protect your district from cutting-edge threats like these! Schedule a Demo