Between May 07, 2026 and May 20, 2026, our team analyzed 18 distinct phishing incidents targeting organizations across Kentucky, Georgia, Colorado, Florida, Illinois, Idaho, and Minnesota, spanning credential harvesting, adversary-in-the-middle session relay, and vishing lures built to drive phone calls to fraudulent support lines. The dominant capture mechanisms were conventional HTML form POST to attacker-controlled endpoints, operator-assisted AiTM relay using real-time WebSocket channels to intercept MFA codes as they were issued, and double-submit harvesting flows that returned a false "Incorrect Password" response on first submission to coerce a second, correctly typed entry alongside a sequential OTP collection stage. Impersonated brands and platforms identified from on-page evidence include Microsoft 365, Microsoft Azure AD, Microsoft Windows Support, GoDaddy, Adobe, Greenvelope, GoGuardian, and a fabricated streaming service operating under the InFlix name.
Infrastructure distribution leaned heavily on German-TLD domains (coffeemomentsonhold[.]de, reliablecontinuity[.]de, brandtrustsolutions[.]de, confidentlystructured[.]de) alongside typosquatted .com registrations, with two incidents abusing legitimate hosting surfaces — Microsoft Azure Static Web Apps and Heroku's platform-as-a-service — specifically to inherit the trust signals those domains carry on corporate filtering stacks and social media link-preview checks. The period's most operationally significant pattern is the clustering of real-time MFA interception capability across multiple independent kits: pitindustrial[.]com used a Socket.IO operator channel, skiqtppyardservice[.]vu and pacifcprime[.]com reproduced complete multi-step MFA flows with pre-populated victim email addresses, and the ecardguesttotheme[.]nl and chubi[.]vu kits appended a timed OTP collection stage immediately after first-factor capture, a convergence that reflects wider commoditization of session-hijacking techniques previously associated with more sophisticated tooling.
Domains Reviewed
- feedingamerica.coffeemomentsonhold[.]de/lJCNo/ (9 variants)
- log1nhzkivbmlfm6lwmkc3e0afpak7.portal.pacifcprime[.]com/e/6KCFNedaCnxx39... (11 variants)
- uiocnew-eaduiutra-003-6b8a962e0294.herokuapp[.]com/?gad_source=5&gad_cam... (6 variants)
- viruswarning0519us11fcfj.z13.web.core.windows[.]net/?utm_medium=paid&utm... (26 variants)
- bgcappclub.coffeemomentsonhold[.]de/dBhe0/
- fmcpe-com.translate[.]goog/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_...
- gbtceh[.]net/ism/paperlesscountdown/
- openfile.reliablecontinuity[.]de/nATpq/ (13 variants)
- fbcw.brandtrustsolutions[.]de/p4OiO/
- nwsnext.confidentlystructured[.]de/8Ec9J/
- ecardguesttotheme[.]nl/big/paperlesscountdown/
- confirm.tkburgers[.]com/5cfef340-b2b0-fcb7-99ec-11c51e90fded/login
- v1.pitindustrial[.]com/tkgv1aq/bij1cwt/bkyld1p/s/index.php?aXBkYXRhPTE3M... (4 variants)
- a9tl3dfdim95.on-forge[.]com/?gad_source=5&gad_campaignid=23814440549&gcl... (2 variants)
- 3970.avenueonneresidential[.]com/IS3o7lc7Bk8E64XFc_lhzKI7XOH9gZ49xl80KBF...
- meetingdunritelawnmaintenancesolutions.skiqtppyardservice[.]vu/ClOd-FoLd... (4 variants)
- www.inflix.co[.]in/register/
- chubi[.]vu/tep/vin/CJ/
A credential-harvesting page impersonating both Microsoft 365 and GoDaddy targeted a Kentucky organization, presenting a dual-branded lure built around a fabricated "Sharing Link Validation" prompt. Detections occurred on May 18, 2026, May 19, 2026, and May 20, 2026, totaling 9 events across that three-day window, suggesting a sustained delivery campaign rather than a single phishing blast. The page is hosted at feedingamerica.coffeemomentsonhold[.]de, a domain that fronts itself with the Feeding America charity name while the actual credential form draws Microsoft Fluent UI component classes alongside a fully embedded GoDaddy login panel under the id sections_godaddy, giving the kit a layered brand-confusion quality that can disorient a recipient who recognizes one but not both identities.
The primary capture surface is a standard HTML form with Microsoft-styled email and password input fields backed by the GoDaddy login panel markup, and the background image is loaded from a relative path 1.png, a common pattern in commodity phishing kits where all assets sit in the same directory on a compromised or throwaway host. The title element reads "Sharing Link Validation," a generic document-sharing pretext designed to make a credential prompt feel procedurally necessary, and the viewport meta tag blocks user scaling, a mobile-targeting signal that reduces a victim's ability to inspect the URL bar before submitting credentials.
A credential-harvesting page impersonating Microsoft 365 targeted a Kentucky organization, presenting a pixel-accurate replica of the Azure AD converged sign-in flow — including functional GitHub federated login, passkey support, and a fully populated country phone-code list — hosted under the typosquatted domain pacifcprime[.]com. Detections occurred on May 08, 2026, May 12, 2026, May 13, 2026, and May 20, 2026, with 11 total events across those four dates indicating a repeating campaign rather than a single blast. The primary capture mechanism is a form POST to urlPost at log1nhzkivbmlfm6lwmkc3e0afpak7.portal.pacifcprime[.]com/common/login, with a parallel MSA credential path posting to srvg28vpr3hrshoirdxcagefxisj.portal.pacifcprime[.]com, meaning both work and personal Microsoft accounts are in scope.
The kit operates a multi-subdomain infrastructure under pacifcprime[.]com — separate subdomains handle the login front-end, the MSA authentication relay, the Office Home redirect landing, and the password-reset flow — reproducing the full session-state machinery that legitimate Azure AD uses, including live-generated flowTokens, context blobs, canary tokens, and a FIDO challenge JWT issued against login.microsoft[.]com. Because the page faithfully replicates every post-authentication step including MFA prompts and OTP handling (GetOneTimeCode endpoint present in config), a user who completes the full flow hands the kit not just a password but a live, MFA-satisfied session context, which is what makes the multi-subdomain session-relay design the detail defenders should anchor detection logic on.
A tech-support-scam page impersonating Microsoft Support — complete with a fake SmartScreen block, a fabricated live-chat widget displaying an agent "online," and a scatter of simulated Windows security dialogs — targeted California, Florida, Georgia, Kentucky and Virginia organizations with the goal of inducing a phone call to the toll-free number +1 (855) 670-5179. Detections occurred on May 12, 2026 and May 20, 2026, with six total events across that window suggesting repeated exposure rather than a single click. The primary capture mechanism is social engineering via phone: the HTML hard-codes the number in three distinct locations — the chat widget body, a fake SmartScreen modal styled in Microsoft's #0067b8 blue, and an "Authentication Required" dialog claiming Windows Firewall has locked the session — with all text input fields set to `disabled`, meaning no credential form is ever submitted to a server endpoint and there is no POST target or JavaScript exfiltration call visible in this page's code.
Supporting the pressure environment, the page renders approximately twenty overlapping absolute-positioned dialog boxes reading "Memory access violation at 0x88412" and "Password required for System32," the browser cursor is suppressed via `cursor: none` on the root element, and a live Tawk[.]to chat instance (property ID 69bc0d8a25f53e1c37bb9468) is initialized alongside GoGuardian asset injections, the latter indicating the victim context is a managed browser environment consistent with a K-12 or similar institutional deployment. The campaign is hosted on Heroku's platform-as-a-service (herokuapp[.]com), and the delivery URL carries Google Ads tracking parameters — `gad_source`, `gad_campaignid`, and `gclid` — meaning the lure was likely served through paid search placements, which explains how it reached users in a managed environment where outbound browsing is filtered. For defenders, the absence of any credential form means email-based IOCs and POST-destination blocklists provide no coverage here; the detection surface is the phone number itself, the Heroku subdomain pattern, and the Tawk[.]to property ID, all of which are pivotable indicators for finding related infrastructure.
Related subdomain variants:
- madrearoiu-001-47cacac48df8.herokuapp[.]com
- uiocnew-eaduiutra-003-6b8a962e0294.herokuapp[.]com
A tech-support scareware page impersonating Microsoft Windows Support — complete with the four-square Microsoft logo, Segoe UI typography, and fabricated "SmartScreen - Preventive Block" and "Authentication Required" overlays — targeted Arizona, Georgia, Kentucky, and Viriginia organizations with the goal of inducing a phone call to a fraudulent support line rather than harvesting credentials through a form POST. Activity was observed across the period from May 07, 2026 to May 19, 2026, producing 26 separate detections, a span consistent with a paid social campaign running to budget exhaustion rather than a single blast. The primary conversion mechanism is a hardcoded telephone number, +1 (888)951-7136, displayed in three separate UI elements — a blue "SmartScreen" modal, an "Authentication Required" dialog, and a chat widget — each framing the call as the only path to unlocking the victim's machine; the two disabled form fields labeled "Email" and "Unlock Key" exist purely as visual props and accept no input, so there is no client-side credential exfiltration in this page.
The panic state is manufactured through 26 absolutely-positioned popup windows carrying two alternating messages — "Password required for System32" with a yellow lock icon and "Memory access violation at 0x88412" with a red prohibition icon — tiled across the full viewport alongside a hidden cursor (cursor: none) to deny the user normal navigation confidence. The page is hosted on Azure Static Web Apps (z13.web.core.windows.net), and the inbound URL carries Facebook Ads attribution parameters (utm_source=fb, fbclid), indicating the scareware was distributed as paid Facebook advertising and that the legitimate Microsoft-owned hosting domain was a deliberate choice to pass link-preview trust checks on the platform.
Related subdomain variants:
- fgd434343e.z13.web.core.windows[.]net
- fgrtrt7667544.z13.web.core.windows[.]net
- message507js773cik17r.z13.web.core.windows[.]net
- viruswarning0507us8gbza0.z13.web.core.windows[.]net
- viruswarning0507usdpx2hj.z13.web.core.windows[.]net
- viruswarning0507usx6iymd.z13.web.core.windows[.]net
- viruswarning0507usz22nev.z13.web.core.windows[.]net
- viruswarning0508us6xay7d.z13.web.core.windows[.]net
- viruswarning0511usxmazbw.z13.web.core.windows[.]net
- viruswarning0512ush65gr9.z13.web.core.windows[.]net
- viruswarning0513us1m9og0.z13.web.core.windows[.]net
- viruswarning0513usgoytgt.z13.web.core.windows[.]net
- viruswarning0513uss5tlmt.z13.web.core.windows[.]net
- viruswarning0513uswvx9s8.z13.web.core.windows[.]net
- viruswarning0514useo9ju7.z13.web.core.windows[.]net
- viruswarning0514usllln5s.z13.web.core.windows[.]net
- viruswarning0515us0hif68.z13.web.core.windows[.]net
- viruswarning0515usiqxrud.z13.web.core.windows[.]net
- viruswarning0518us6nyjgx.z13.web.core.windows[.]net
- viruswarning0518us71w005.z13.web.core.windows[.]net
A credential-harvesting page impersonating both Microsoft 365 and GoDaddy targeted a Kentucky organization, presenting a layered fake login UI that blends Microsoft's Fabric design system — including the characteristic `#0078d7` blue banner, Segoe UI typography, and a "Sharing Link Validation" title — with a GoDaddy-branded password form housed under a `#sections_godaddy` DOM layer. Activity was confined to May 18, 2026. The page renders a standard HTML form with username and password fields styled to match GoDaddy's own `ux-field-frame` and `ux-text-entry-shell` components, and while the HTML is truncated, the presence of a `submitBtn` element and a fully instrumented form-input container points to a conventional form POST as the credential-capture mechanism, with credentials submitted from a path on `coffeemomentsonhold[.]de`, a German-registered domain almost certainly serving as attacker-controlled or compromised hosting rather than a legitimate Microsoft or GoDaddy property.
The dual-brand layering is the operationally significant detail here: the Microsoft 365 chrome primes the victim to expect a familiar file-sharing gate, while the GoDaddy password panel harvests credentials for an account that may control a domain, DNS records, or email routing — a higher-value target than a standalone M365 session. A defender examining this page in a proxy or sandbox will see a visually coherent login experience with no obvious obfuscation, which means standard screenshot-based detection tools may flag it as benign, and the single observed event suggests either tight targeting or early-stage delivery before a broader blast.
A Google Translate proxy page surfacing a Minecraft PE mod and addon site targeted a Idaho organization, with the actual content drawn from fmcpe[.]com and delivered through the translate[.]goog subdomain infrastructure. Activity was confined to May 18, 2026. The page presents a functional login form with fields for username and password that POST to the site's own backend, but the delivery mechanism is the structural tell: wrapping fmcpe[.]com inside a translate[.]goog proxy URL means the rendered domain in the browser address bar is a google-owned subdomain, lending the page apparent legitimacy while the underlying origin remains fmcpe[.]com.
GoGuardian scripts loaded from asset[.]goguardian and localstorage[.]goguardian are injected into the page head, which is consistent with a managed student device running GoGuardian's browser extension — the Idaho organization is most likely a K-12 school or district, and the Minecraft Education Edition framing in the site's title and metadata aligns with that environment. The translate[.]goog proxy technique does not require any attacker-controlled infrastructure; it abuses a legitimate Google service to launder the destination URL, which makes domain-reputation filtering largely ineffective and shifts the detection burden onto behavioral controls and content inspection.
A credential-harvesting page hosted at gbtceh[.]net impersonating a paperless document or notification portal targeted a Colorado organization. Activity was confined to May 17, 2026, with a single observed event suggesting a targeted delivery rather than a broad spray campaign. The page renders a blurred background image pulled from a relative path alongside a centered overlay panel styled with Bootstrap 4 and Font Awesome, a layout pattern common to credential-capture kits that mimic internal portals or document-access gates; the HTML includes color-coded button classes labeled b1 through b5, which are consistent with multi-provider login-option pages that prompt victims to select their identity provider before submitting credentials.
The bulk of the embedded CSS belongs to the Texthelp product suite — a legitimate UK-based assistive-technology vendor whose front-end component library appears to have been lifted wholesale — which gives the page a veneer of institutional familiarity that a recipient from an organization already licensed for Texthelp tools would find credible. The path segment paperlesscountdown in the URL implies a countdown-to-deadline lure, a social-engineering pressure mechanism designed to compress the time a target spends scrutinizing the page before entering credentials; defenders should treat any inbound link containing that path pattern as high-confidence phishing regardless of the domain it appears on.
A credential-harvesting page impersonating a generic Microsoft account sign-in portal targeted a Kentucky organization, presenting a standard username-and-password form styled entirely with Bootstrap 4 CSS and carrying the browser tab title "Sign in to your account." Detections occurred on May 11, 2026, May 12, 2026, and May 15, 2026, totaling 13 observed events across those three days, a pattern consistent with a phishing email distributed in waves rather than a single blast. The page delivers credentials via a conventional HTML form POST, with the Bootstrap-only construction — no external JavaScript libraries, no fetch() calls, no WebSocket handles visible in the captured markup — placing the exfiltration logic entirely server-side at the POST handler on reliablecontinuity[.]de, a domain whose name gestures at business-continuity services and lends the infrastructure a veneer of legitimacy.
The path component /nATpq/ functions as a campaign token, a common technique for tracking individual targets or delivery batches without embedding identifiers in the URL query string where they are more easily stripped by mail gateways. Because the credential-capture logic lives on the server and the client-side markup is clean Bootstrap, signature-based browser-side detection and JavaScript sandboxing will produce no signal, meaning the practical detection surface for this page is the delivery vector — the phishing email — and the DNS or proxy block on reliablecontinuity[.]de itself.
A credential-harvesting page impersonating a generic Microsoft "Sign in to your account" portal targeted a Georgia organization, presenting a standard Bootstrap 4 login form with no visible brand-specific imagery beyond the page title. Activity was confined to May 14, 2026, with a single observed event suggesting a narrow, possibly targeted delivery rather than a broad spray campaign. The primary capture mechanism is an HTML form collecting username and password fields, with submission routed to a handler on the hosting domain fbcw.brandtrustsolutions[.]de, a German-registered domain whose name borrows trust-signaling vocabulary while operating outside any legitimate Microsoft infrastructure.
The page is built entirely from an unmodified Bootstrap 4 CDN stylesheet with no JavaScript obfuscation, no anti-analysis logic, and no geofencing, meaning the kit is low-complexity and the operator relied on the delivery mechanism — likely a convincing email lure — to do the social-engineering work rather than any server-side filtering. From a detection standpoint, the absence of evasion makes the page straightforward to flag on URL reputation or domain age alone, but the single-event footprint suggests defenders should treat this as a signal of targeted delivery where the phishing email itself, rather than the landing page, is the primary artifact worth recovering.
A credential-harvesting page impersonating a generic Microsoft account sign-in portal targeted a Georgia organization, presenting a standard Bootstrap 4 login form with the page title "Sign in to your account" and no visible brand-specific imagery beyond the framework's default styling. Activity was confined to May 11, 2026, with a single observed event suggesting a targeted delivery rather than a broad spray campaign. The page collects credentials through an HTML form built on Bootstrap 4 form-control components, and while the full form action endpoint is not visible in the truncated HTML, the structure is consistent with a static credential-harvest kit that POSTs username and password fields to an attacker-controlled handler on the same host, confidentlystructured[.]de.
The hosting domain follows a pattern common to attacker-registered or compromised German-TLD domains repurposed as phishing infrastructure, with the random-path component of the URL (/8Ec9J/) serving as a per-victim or per-campaign token that can be rotated to invalidate scanners and burned links. Because the lure relies entirely on the generic "Sign in to your account" title and Bootstrap's default visual language with no explicit brand logo loaded in the visible markup, a user who arrives at the page through an out-of-band lure such as email or SMS has no visual anchor beyond the form itself to trigger suspicion, which means URL inspection remains the primary available signal for detection at the endpoint layer.
A credential-harvesting page impersonating Adobe and the Greenvelope online-invitation platform, backed by a multi-provider email-login lure, targeted an Illinois organization. Activity was confined to May 09, 2026, with a single observed detection. The primary capture mechanism is a form POST to processmail.php on the attacker-controlled domain ecardguesttotheme[.]nl, collecting email address, password, and a numeric provider ID that identifies which brand button the victim clicked; a second form POST to process.php then harvests whatever OTP the victim received on their phone, meaning the kit is designed to capture both the first-factor password and a live MFA code in sequence.
The double-submit pattern on the first form is deliberate: every submission regardless of credentials returns an "Incorrect Password" message to prompt a second attempt, a technique that increases the probability of collecting a correctly typed password when a victim assumes the first entry had a typo. For defenders, the practical consequence is that a user who completes this flow has handed the operator a valid password and a time-limited OTP in a single session, giving the operator a narrow but functional window to authenticate to the real service before the OTP expires.
A credential-harvesting page impersonating the GoGuardian platform targeted a Kentucky organization, serving a login form under a domain (confirm.tkburgers[.]com) that has no legitimate relationship to GoGuardian's actual infrastructure. Activity was confined to May 08, 2026, with a single detection observed. The page loads GoGuardian's production JavaScript assets directly from asset.goguardian and localstorage.goguardian, borrowing the real platform's cross-domain local storage bridge (xdLocalStorage) to render a visually authentic session environment without hosting those resources locally.
The UUID-shaped path segment (5cfef340-b2b0-fcb7-99ec-11c51e90fded) before the /login endpoint is a common per-target token pattern used to scope credential submissions to individual victims and to invalidate the page once a link has been used or reported. The page's title element is empty and no credential exfiltration endpoint is visible in the truncated HTML, meaning the POST target or JavaScript-driven fetch call likely lives in the body or in a dynamically loaded module — defenders should treat the absence of a visible form action as evidence of script-side exfiltration rather than a clean bill of health. Because the kit leans on legitimate GoGuardian JavaScript served from GoGuardian's own CDN, network-layer controls that allowlist goguardian domains will not flag the external script loads, and the burden of detection falls on the anomalous hosting domain itself.
A credential-harvesting page impersonating Microsoft 365 targeted a Kentucky organization, presenting a multi-stage login flow designed to capture passwords and then intercept MFA codes through simulated Microsoft Authenticator push prompts and SMS one-time-password fields. Activity was confined to May 08, 2026, with four detections recorded. The page delivers credentials and OTP codes to a backend PHP handler at pitindustrial[.]com via form submissions, while a Socket.IO WebSocket connection — loaded from the CDN at two distinct version pins (4.6.0 and 4.7.5) — provides the operator a real-time channel to relay MFA challenges and drive which form block the victim sees next, a pattern consistent with operator-assisted adversary-in-the-middle kits rather than a purely static harvester.
The victim email address is pre-populated into the password, authenticator-push, and OTP blocks before the page renders, so the user lands on a form that already knows their identity, reducing friction and suppressing suspicion. The exfiltration endpoint is partially obscured behind a base64-encoded redirect target (decoding to thirdcar[.]top) embedded in the page JavaScript alongside a self-contained string-rotation obfuscation layer, meaning the final destination for harvested material is a domain separate from the hosting server, a design that survives takedown of the initial lure URL. Defenders should treat any MFA prompt arriving seconds after a password submission as a signal worth investigating, since this kit's real-time operator loop means an active human is on the other end waiting to accept or manipulate the push notification.
A tech-support-scam page impersonating Microsoft Support — styled to mimic the real support.microsoft.com help portal, complete with Microsoft branding, a "Helpdesk Windows Support" title, and Segoe UI typography — targeted an Illinois and Minnesota organization using a vishing lure centered on a toll-free callback number. Two detections occurred on May 08, 2026. There is no credential form POST or exfiltration endpoint in this page; the designed conversion action is a phone call to +1-833-976-5069, which the page surfaces repeatedly across three overlapping UI layers: a simulated Microsoft Support chat widget that pre-populates fabricated "anomalous activity detected from your IP (United States)" alerts, a fake Windows SmartScreen blue panel listing "Trojan.Spy.Win32" and identity theft detections, and a modal styled as a Windows Firewall authentication prompt — all hardcoded into the HTML and presented simultaneously to manufacture a sense of system compromise requiring immediate human-operator contact.
Supporting the visual pressure, the page renders roughly twenty absolutely-positioned fake Windows dialog boxes tiled across the viewport, alternating between "System Error / Memory access violation at 0x88412" and "Security / Password required for System32," all with pointer-events enabled so they cannot be dismissed by clicking the background, while CSS sets cursor to none to further disorient the user. The page is delivered through on-forge[.]com and carries Google Ads tracking parameters (gad_source, gclid), meaning this infrastructure was paid to appear in Google search results, and Cloudflare challenge scripts in the page body provide a layer of bot filtering that keeps automated crawlers from indexing the full payload. The delivery method — paid search driving users to a vishing lure rather than a credential-harvesting form — means email-focused controls offer limited coverage here, and the primary detection surface is outbound calls to the embedded number or DNS/proxy logs showing users reaching on-forge[.]com.
Related subdomain variants:
- 2eld04km0513.on-forge[.]com
- a9tl3dfdim95.on-forge[.]com
A credential-harvesting page impersonating Microsoft's sign-in portal targeted a Florida organization, presenting a pixel-accurate replica of the Microsoft account authentication flow complete with the Segoe UI font stack, Microsoft blue (#0067b8) button styling, and a favicon sourced from a local images directory. Activity was confined to May 08, 2026, with a single detection observed. The primary capture mechanism is a multi-stage JavaScript-driven form hosted at avenueonneresidential[.]com under a subdomain prefixed with a bare integer (3970), a pattern consistent with bulk-generated or templated phishing infrastructure, where the page logic defers to bundled scripts — runtime.chunk.js, vendors.commons.js, bot-detection.js, and bot-detection-config.js — to control flow, validate submissions, and route harvested credentials; the phpConfig object embedded in the page source carries a base64-encoded redirect value (prop_label_544) that decodes to a Microsoft error page at account.live[.]com, a classic post-submission misdirection technique designed to make the victim believe a routine login failure occurred.
The kit includes explicit bot-detection scaffolding and CSS-level anti-inspection controls — user-select disabled globally, right-click suppressed, and a honeypot field class (a_component_689) positioned at -9999px — all of which serve to impede automated analysis and slow down sandbox tooling rather than affect the victim's visible experience. A defender's practical takeaway is that the redirect-to-legitimate-error-page technique specifically targets user suspicion: a recipient who enters credentials and lands on a real Microsoft error page is likely to assume a transient service issue, reducing the probability they report the event before the session token or password has already been exfiltrated.
A credential-harvesting page impersonating Microsoft 365 targeted a Georgia organization, presenting a fully staged multi-step login flow that collected username, password, and MFA codes across sequential form sections. Activity was confined to May 07, 2026, with four separate detections recorded. Credential capture occurs through a PHP-backed form relay: the page pre-populates the victim's email address into each section via window.var_data_770, walks the user through password entry and then an MFA challenge — offering Authenticator app push approval, a TOTP code, or an SMS code with a partially masked phone number — and ships each submitted value to attacker-controlled infrastructure through two obfuscated JavaScript files (joCOTBtYncGjMkh.js and A31PhTt6OhTlZKIe.js) whose logic is intentionally withheld from the page source.
The kit implements several layered evasion measures visible in the HTML: CSS class names are randomized across every render, all human-readable strings in the DOM are fragmented with empty bold tags to break signature matching, a honeypot input field styled off-screen filters automated form submissions, and a PageValidator bot-detection object running in strict mode gates access before the main content is displayed. The pre-filled victim email and the faithful reproduction of every Microsoft MFA path — including a number-matching push screen showing entropy value 50 — mean a target arriving at this page has already been primed by a preceding lure email, and the MFA capture stages indicate the operator intends real-time session hijacking rather than deferred credential replay.
A credential-harvesting registration page impersonating a streaming service branded "InFlix" targeted a Kentucky organization, presenting a full account-creation form collecting email address, full name, and a plaintext password pair. Activity was confined to May 07, 2026, with a single observed event. The primary capture mechanism is a standard HTML form POST to /register/ on the attacker-controlled domain inflix[.]co.in, where the FOSUserBundle-style field naming — fos_user_registration_form[plainPassword][first] and fos_user_registration_form[plainPassword][second] — indicates the page is built on a Symfony PHP backend that receives and likely stores the submitted credentials server-side.
The page supplements the native form with OAuth-style social login buttons routing to /connect/facebook and /connect/google, which expands the harvest surface to federated identity tokens alongside directly entered passwords. Because the page presents as a legitimate account registration rather than a login prompt, users who encounter it have no prior password to recognize as compromised — the credential is created and captured in the same interaction, leaving no conventional "wrong password" signal that might prompt suspicion.
A credential-harvesting page impersonating Greenvelope, the online invitation service operated by Sincere Corporation, targeted a Minnesota organization with a multi-provider email login lure. Activity was confined to May 07, 2026. The primary capture mechanism is a modal form POSTing to processmail.php on the attacker-controlled host chubi[.]vu, with a parallel endpoint at process.php accepting OTP submissions, meaning the kit is designed to harvest both the account password and any MFA one-time code the victim's real provider dispatches.
The JavaScript submission handler deliberately returns an "Incorrect Password" message on the first credential submission regardless of what the user enters, a double-submit technique that coerces the victim into re-entering credentials and increases the probability of capturing a correctly typed password. The Gmail sign-in button hardlinks to chubi[.]vu/hdjd/accounts.google rather than triggering the same modal, indicating that path routes through a separate redirect or capture chain on the same attacker-controlled domain. The three-stage flow, password capture followed by a fake "Verifying" delay, then an OTP collection modal with a five-minute countdown timer, is the operational tell here: a user who completes all three steps hands the attacker everything needed to authenticate against the real account in real time, making session invalidation the only recovery option after the fact.
Recommendations
- Configure proxy and DNS filtering to alert on login-form submissions to domains matching the pattern of attacker-registered German-TLD (.de) and other foreign-registered domains (coffeemomentsonhold[.]de, reliablecontinuity[.]de, brandtrustsolutions[.]de, confidentlystructured[.]de) presenting Microsoft or GoDaddy credential forms; the clustering of independently operated kits under this TLD pattern across multiple incidents makes it a high-confidence detection signal rather than noise.
- Detect adversary-in-the-middle session relay campaigns by monitoring for Microsoft 365 authentication flows — including flowToken issuance, FIDO challenge JWTs, and OTP endpoint calls — originating from hosts that are not microsoft[.]com or microsoftonline[.]com; the multi-subdomain relay infrastructure observed at pacifcprime[.]com reproduced every post-authentication step including live MFA satisfaction, meaning a blocked password alone provides no protection.
- Apply URL inspection controls that specifically flag the translate[.]goog proxy pattern when the proxied origin domain is not organizationally recognized; this technique requires zero attacker-controlled infrastructure and defeats domain-reputation filtering entirely, so detection must focus on the structural URL format (translate.goog/translate?u=) rather than the destination domain's reputation score.
- Train users in managed environments — particularly K-12 organizations given the GoGuardian and Minecraft-themed lures observed at herokuapp[.]com and tkburgers[.]com — to recognize that a locked screen with overlapping error dialogs, a suppressed cursor, and a toll-free callback number is a scripted panic state, not a real OS failure; the specific message strings "Memory access violation at 0x88412" and "Password required for System32" should be called out by name as known scareware props.
- Block outbound calls and flag internal reports referencing the specific toll-free numbers observed across the vishing incidents (+1 (855) 670-5179, +1 (888) 951-7136, +1-833-976-5069); unlike credential-harvesting pages these tech-support scam lures — delivered via paid Google and Facebook advertising to on-forge[.]com and z13.web.core.windows[.]net — produce no POST traffic or DNS artifact until a user dials the number, making the phone number itself the only pivotable IOC available post-exposure.
- Alert on any MFA prompt arriving within seconds of a password submission event, particularly where the authentication session originates from an unfamiliar IP or device; the Socket.IO WebSocket operator loop observed at pitindustrial[.]com and the sequential OTP-capture modals at ecardguesttotheme[.]nl and chubi[.]vu confirm that real-time human operators are waiting to relay credentials, meaning the window between password submission and account takeover is measured in seconds rather than hours.
- Treat path segments structured as random short strings or UUIDs appearing before a /login endpoint — such as the /nATpq/ token at reliablecontinuity[.]de, the /8Ec9J/ token at confidentlystructured[.]de, and the UUID path at tkburgers[.]com — as high-confidence indicators of per-victim campaign tokens rather than legitimate application routing; proxy logs should be configured to alert when these patterns appear on domains with no established organizational relationship, since the tokens are specifically designed to invalidate scanners and survive standard signature matching.
Learn how PhishID can help protect your district from cutting-edge threats like these! Schedule a Demo
