Skip to content

Phish Wire - May 6, 2026

Between April 23, 2026 and May 06, 2026, our team analyzed 17 distinct phishing incidents targeting several organizations. The dominant credential-capture mechanisms observed were multi-stage form POST flows to attacker-controlled endpoints — frequently split across processmail[.]php and process[.]php to separate password and OTP collection — alongside obfuscated JavaScript bundles carrying concealed exfiltration logic, a double-submit friction pattern designed to coerce at least two password attempts per victim, and one incident consistent with a full AiTM OAuth proxy relaying live Microsoft session tokens.

Impersonated brands identified from on-page evidence include Microsoft 365, Microsoft Windows Defender, OneDrive, Entra ID, Netflix, Yahoo Mail, Adobe, Greenvelope, and Paperless Post, with Microsoft properties accounting for most kit deployments across the period. Infrastructure trends include abuse of legitimate cloud hosting on Azure Blob Storage, actor-controlled domains registered under the[.]vu and[.]cyou country-code TLDs, a typosquat on a named insurance broker's domain supporting a purpose-built multi-subdomain proxy, and delivery through paid Facebook and Google advertising channels that bypass email-based controls entirely.

The most operationally significant pattern across this period is the consistency of per-victim link tokenization combined with pre-populated email addresses at render time, indicating that most of these kits were deployed against identified targets whose addresses the operators already held. The AiTM infrastructure observed in one campaign — replicating live OAuth state objects, FIDO challenge tokens, and cross-domain session artifacts — represents a level of session-fidelity that makes user-visible URL inspection an unreliable detection signal for that subset of the activity.

Domains Reviewed

  • viruswarning0506us5ncto1.z13.web.core.windows[.]net/?utm_medium=paid&utm... (23 variants)
  • crwleymaritimecorporationgroup.tewjpchosolutions[.]vu/OnDv-OpEn-pk5Yq2C5...
  • yurgsokd2lda.on-forge[.]com/?gad_source=5&gad_campaignid=23818869064&gcl... (2 variants)
  • iclix.tkburgers[.]com/9680ba1a-32b5-631f-636a-7f91bd9339eb/login
  • michytredqwdcvfgbhytrevffghnjoplkmjnhgbawsedfrtgy[.]net/newbrdawluyhtgfr... (2 variants)
  • login.acsgroupus[.]com/?auth=2&sso_reload=true (3 variants)
  • lp92czxo.authlnk[.]com/login/U1NRZ7To007FGX2JA7mQpG2Vljca78Fxr2KQ
  • gpuux[.]vu/ste/phe/JW/
  • opendpartyviewfo[.]net/skllm/dixsgubj/sdjcxkn/paperlesscountdown/ (2 variants)
  • sysop[.]vu/old/open/
  • gilanfarrarchitecture.canycomcanycom[.]com/Uax1WH9mBUJMietsDA320irmEiD99...
  • financebudget.nationelbuild.co[.]uk/ClOd-NoTe-wg1kM1DkjkQ7_rP0V05C_DpyFu... (3 variants)
  • storead16951b8943.blob.core.windows[.]net/pool-ad16951b8943/Win20Errfb02... (17 variants)
  • bemyguests[.]one/SaveDateCard/peluwork/invitation/
  • dn6z5nh3p3t.jahutche[.]cyou/
  • log1nhzkivbmlfm6lwmkc3e0afpak7.portal.pacifcprime[.]com/e/mYJb89xsONuIfW... (2 variants)
  • mciincglobalmanagementcapital.wernereumdnterprises[.]vu/ExCl-PrEsEnTaTiO...

A tech-support-scareware page impersonating Microsoft Windows Support targeted California, Florida, Georgia, Idaho, Kentucky, Maryland, Virginia and Washington organizations, presenting a fabricated "SmartScreen - Preventive Block" overlay that named specific malware families (Trojan.Spy.Win32) and demanded a call to +1 (866)297-8649 while layering an "Authentication Required" modal with disabled email and "Unlock Key" credential fields on top of a counterfeit Microsoft Support portal backdrop. Activity ran across the period from April 23, 2026 to May 06, 2026, spanning 23 separate detections, a duration consistent with a sustained paid-traffic campaign rather than a single blast. The primary capture surface is the "Authentication Required" dialog, which presents an email input and a password-type "Unlock Key" field alongside a phone number, with the credential fields rendered as disabled in the static HTML — meaning the actual exfiltration logic lives inside the bundled JavaScript module loaded from ./assets/index-DvsLmbh3.js, which was not available for review but is the only viable path for form handling given the page's React-style single-page-application structure.

The URL query string carries Facebook Ads tracking parameters (utm_source=fb, fbclid) and a campaign ID, confirming the lure was delivered through paid Facebook advertising and that the threat actor was instrumenting click-through performance. The scareware layer itself is built from roughly twenty positioned "Security" and "System Error" toast-style overlays scattered at fixed viewport coordinates with a hidden cursor (cursor: none on the root element), a combination that floods the visible screen with fabricated Windows dialogs and removes the user's ability to see where their mouse pointer is, amplifying the pressure to either call the phone number or interact with the credential dialog — a user who understands that a browser tab cannot generate a Windows Firewall lock or a System32 password prompt is unlikely to engage, making end-user familiarity with the limits of browser-based UI the most direct check against this technique.

Related subdomain variants:

  • message505js773x5p515.z13.web.core.windows[.]net
  • message506js773i83l9w.z13.web.core.windows[.]net
  • viruswarning0423usja1n84.z13.web.core.windows[.]net
  • viruswarning0424usd2pkku.z13.web.core.windows[.]net
  • viruswarning0424usw19uq2.z13.web.core.windows[.]net
  • viruswarning0427usli9sgt.z13.web.core.windows[.]net
  • viruswarning0428us3xh8ce.z13.web.core.windows[.]net
  • viruswarning0428usrkerse.z13.web.core.windows[.]net
  • viruswarning0428usw9vvd0.z13.web.core.windows[.]net
  • viruswarning0429us4uw1ef.z13.web.core.windows[.]net
  • viruswarning0429usb9wr0a.z13.web.core.windows[.]net
  • viruswarning0430us5ciycf.z13.web.core.windows[.]net
  • viruswarning0430us6rp5my.z13.web.core.windows[.]net
  • viruswarning0430us6xv896.z13.web.core.windows[.]net
  • viruswarning0430us9motwx.z13.web.core.windows[.]net
  • viruswarning0430usdny2lv.z13.web.core.windows[.]net
  • viruswarning0505us7y3r4y.z13.web.core.windows[.]net
  • viruswarning0505us814vz6.z13.web.core.windows[.]net
  • viruswarning0506us5ncto1.z13.web.core.windows[.]net
  • viruswarning0506usswon3w.z13.web.core.windows[.]net

A credential-harvesting page impersonating Microsoft 365 targeted a Kentucky organization, presenting a fully staged multi-step login flow — email collection, password entry, and MFA capture — consistent with a PHP-backed phishing kit rather than an AiTM proxy. Activity was confined to May 06, 2026. Credential submission is handled by obfuscated JavaScript loaded from same-origin paths (js/YkPhYEvnIgd12Ia.js and js/6lqgs4zCHYYN958e.js), with randomized CSS class names and element IDs generated per-deployment to frustrate signature-based detection; the exfiltration endpoint itself is not visible in the HTML, which is consistent with the JS files carrying the POST logic.

The kit captures credentials across four discrete stages — username, password, an authenticator app push with a hardcoded number ("50") displayed to prompt MFA approval, an SMS OTP, and a TOTP code entry — meaning a fully completed interaction hands the operator a username, plaintext password, and a live MFA token in sequence. The victim's email address is pre-populated in the page at render time (visible in window.var_utils_637), which means the link was personalized before delivery and the target would see their own address displayed as a trust signal throughout the flow. The hosting domain tewjpchosolutions[.]vu carries no surface connection to either the impersonated brand or the fictitious "Crwley Maritime Corporation Group" likely used as lure context, and the URL's base64 token embedded in the path is consistent with per-victim tracking that lets the operator correlate submitted credentials to a specific target.

A credential-harvesting page impersonating a Windows IT helpdesk portal — built on the Texthelp assistive-technology platform's legitimate front-end framework — targeted a Florida and Virginia organization. Detections occurred on May 04, 2026 and May 06, 2026, totaling 2 separate events across that window. The page was served from yurgsokd2lda.on-forge[.]com and loaded a bundled JavaScript module at ./assets/index-B9IYpbun.js, which contains the application logic responsible for any credential capture; without the JS payload, the exact exfiltration endpoint cannot be resolved from the HTML alone, but the page titles itself "Helpdesk Windows Support" while pulling its icon from /defender.png, pairing a Windows Defender visual cue with a helpdesk authority lure to establish legitimacy before the user interacts with any form.

The URL carries Google Ads tracking parameters — gad_source, gad_campaignid, and gclid — indicating the campaign was distributed through paid Google search advertising, a delivery method that places the phishing page directly in front of users actively searching for IT support, bypassing email-based controls entirely. For defenders, the paid-search delivery channel is the most operationally significant detail here: email gateway and link-scanning controls offer no coverage for a lure that arrives through a browser search result, and the on-forge[.]com subdomain structure allows the actor to rotate unique subdomains per campaign while keeping the same hosting provider.

Related subdomain variants:

  • ypwfhpcl58yh.on-forge[.]com
  • yurgsokd2lda.on-forge[.]com

A credential-harvesting page impersonating Netflix targeted a Kentucky organization, presenting a full-fidelity login clone — including Netflix Sans custom fonts loaded from relative asset paths and a background image sourced from assets/image-1.png — consistent with a locally hosted static kit rather than a proxied session. Activity was confined to May 05, 2026, with a single observed detection. The page's actual HTML is stored base64-encoded in a data-html-b64 attribute on a script tag within the body, a delivery pattern that defers rendering of the phishing content until JavaScript decodes and injects it, allowing the raw page response to appear structurally inert to passive scanners that do not execute JavaScript.

The phishing kit is served under the subdomain iclix.tkburgers[.]com, a domain with no plausible connection to Netflix, and the UUID-style path segment 9680ba1a-32b5-631f-636a-7f91bd9339eb functions as a per-victim token, enabling the operator to invalidate links after first use or segment victim traffic by campaign wave. GoGuardian's content-filtering scripts are present throughout the outer page head — including asset.goguardian and xdLocalStorage cross-domain messaging assets — indicating the page was captured inside a managed school or district browser session, which tells defenders that the targeted Kentucky organization is likely an educational institution and that the victim encountered this URL through a supervised device where web filter telemetry should be available.

A credential-harvesting page embedding a real-time content-filtering and visitor-scoring framework targeted a Minnesota organization, presenting a blurred background with a centered login overlay consistent with a generic enterprise SSO lure. Activity was confined to May 05, 2026, with two total detections suggesting a narrow, targeted delivery rather than a broad spray. The primary exfiltration mechanism is an XHR POST to a hashed endpoint path at document.location.origin — specifically the path /31b2ac118e1c71cf09e8f1dd3ecaf21cf03c2170860cc12b8540c08c9dbf3995/log — which receives the visitor's current URL, a YouTube flag, and a millisecond-precision timestamp; a parallel endpoint at the same hash prefix, /log_flag, receives any text the visitor types into non-password input fields, scanned every keystroke and on a one-second polling interval against an operator-defined term list seeded here with "kill myself."

The infrastructure runs its own server-side allow/redirect/block decision loop: the /log endpoint returns a JSON score object, and when score.redirect is set, the page immediately navigates the visitor to an operator-specified destination and replaces the entire DOM with a hosted block image, a behavioral gate that lets the operator serve different content to vetted versus unvetted visitors and is a characteristic feature of traffic-filtering kits designed to frustrate automated crawlers and sandboxes. The hosting domain — michytredqwdcvfgbhytrevffghnjoplkmjnhgbawsedfrtgy[.]net — carries a 63-character randomly-keyed subdirectory-style path with the lure token "paperlesscountdown" embedded in it, a URL structure consistent with per-victim tokenization that lets the operator correlate individual click events server-side and invalidate links after first use, meaning replaying a captured URL in an analysis environment will likely return a dead or redirected page.

A credential-harvesting page impersonating Microsoft 365 sign-in targeted a Kentucky organization, presenting a pixel-faithful reproduction of the Azure AD converged login interface under the attacker-controlled domain login.acsgroupus[.]com. Detections occurred on May 04, 2026, with three observed events suggesting limited but deliberate targeting rather than broad distribution. Captured credentials are submitted via HTTP POST to login.acsgroupus[.]com/common/login, a route that mirrors the legitimate Azure AD endpoint path precisely, meaning a user inspecting the POST target in isolation would see nothing anomalous without verifying the domain.

The kit reproduces the full $Config JavaScript object — including live-looking flow tokens, session identifiers, a FIDO challenge JWT issued against login.microsoft[.]com, and a functioning GitHub federated identity provider path — all of which are either replayed from a real Azure AD session or generated to validate correctly client-side, giving the page behavioral fidelity well beyond a static HTML clone. The presence of GoGuardian asset injection scripts (asset.goguardian and localstorage.goguardian) in the page source indicates the kit was served inside a browser environment subject to content filtering, which reveals something about the likely victim context — a K-12 or managed-education network where GoGuardian is deployed — and means the attacker's page loaded and rendered despite that filtering layer being active.

A credential-harvesting page impersonating Microsoft 365 targeted a Colorado organization, presenting a pre-filled victim email address alongside a password entry form consistent with the second step of Microsoft's standard sign-in flow. Activity was confined to May 04, 2026. Credentials are submitted via an HTML form GET request to /link-action/U1NRZ7To007FGX2JA7mQpG2Vljca78Fxr2KQ on the attacker-controlled subdomain lp92czxo.authlnk[.]com, a domain constructed to visually suggest an authentication link service rather than anything tied to Microsoft infrastructure. The page pre-populates the victim's email address in a read-only field, a technique that reduces friction and signals to the target that the page already "knows" them, lending false legitimacy to the password prompt.

A meta tag embedded in the page head identifies the page as part of a Cyberlift simulated phishing exercise and includes the targeted organization's email domain, meaning this event represents an authorized security awareness test rather than a malicious campaign; the robots noindex directive and no-referrer policy are consistent with simulation platforms that suppress indexing and limit referrer leakage to preserve test integrity. For defenders, the practical takeaway is that this kit's delivery mechanics — a tokenized per-user URL, a pre-filled email field, and a clean Microsoft-branded layout built on Tailwind CSS — are structurally identical to what commodity phishing kits deploy against real targets, so user behavior observed during this simulation reflects how staff would likely respond to a genuine credential-harvesting attempt.

A credential-harvesting page impersonating Greenvelope, a legitimate online invitation and greeting card service, targeted a Minnesota organization by presenting a multi-provider email login portal backed by a PHP relay kit. Activity was confined to May 02, 2026. The primary capture mechanism is a modal form POSTing to processmail.php on attacker-controlled infrastructure at gpuux[.]vu, with a second POST stage sending captured OTP codes to process.php, meaning the kit is built to harvest both the static password and any one-time code a victim's identity provider issues in response to the login attempt.

The double-submit design is instructive: on first submission the JavaScript unconditionally displays "Incorrect Password" regardless of server response, coercing the victim to re-enter credentials before the form advances to the OTP stage, which is a deliberate friction pattern used to ensure the attacker receives at minimum two password attempts. The Gmail button deviates from the modal pattern and links directly to gpuux[.]vu/signin/accounts.google in a new tab, a separate phishing path that bypasses the on-page form entirely. Because the kit captures both credentials and OTP in sequential steps, a defender's most useful signal is the two-phase POST pattern to processmail.php followed by process.php, which network controls can observe even when the landing page itself evades content filters.

A credential-harvesting page impersonating Adobe and the Greenvelope online invitation service targeted an Illinois organization, presenting victims with a multi-provider email login portal that collected credentials for Outlook, Office 365, Yahoo, AOL, and generic mail accounts. Detections occurred on April 28, 2026 and May 02, 2026, totaling 2 separate observed events. The primary capture mechanism is a form POST to processmail.php on attacker-controlled infrastructure at opendpartyviewfo[.]net, with a second POST stage to process.php that collects an OTP or MFA token submitted by the victim.

The kit deliberately provokes a second credential submission by returning an "Incorrect Password" message on the first attempt, a double-submit pattern that increases the likelihood of capturing a valid password before advancing the victim to the MFA-harvesting modal, where a countdown timer counting down from five minutes creates pressure to enter the one-time code quickly. The combination of email-plus-password capture followed by OTP collection means the attacker receives everything needed to authenticate to the victim's account in real time, which renders standard MFA ineffective as a backstop and makes the window between victim submission and attacker use the only practical point of interruption.

A credential-harvesting page mimicking a generic "Cloud Share" document portal targeted a Kentucky organization, presenting a full-screen lure backed by a Bootstrap 4 layout and a dynamically animated OTP overlay designed to capture both primary credentials and a one-time passcode in sequence. Activity was confined to May 01, 2026. The primary capture mechanism is a two-stage HTML form flow: an initial credential submission feeds into a modal popup — toggled via CSS class manipulation with `.popup.active` — that solicits an OTP code, meaning the kit is built to harvest both a password and a second authentication factor in the same session. A hidden `#dataBox` element sized to one pixel by one pixel with `visibility: hidden` functions as a staging container for collected field values, a pattern common to kits that batch and relay credential pairs before the victim recognizes the session has failed.

The hosting domain sysop[.]vu carries a path structure of `/old/open/` that suggests either a repurposed or abandoned legitimate host with a phishing kit dropped into a subdirectory, a setup that frequently evades domain-reputation controls because the root domain may carry a clean history. The OTP capture stage is the detail defenders should weight most heavily here: a user who completes both prompts has handed the actor everything needed to authenticate to the real service in real time, compressing the window between credential submission and account takeover to the length of a single browser session.

A credential-harvesting page impersonating Microsoft 365 — specifically the OneDrive and account sign-in flow — targeted a Nevada organization by presenting a full multi-stage authentication clone designed to capture both the account password and any active MFA factor the victim had enrolled. Activity was confined to May 01, 2026, with a single observed event. The kit renders a sequential flow across at least seven discrete HTML sections — email collection, password entry, Microsoft Authenticator push approval with a hardcoded number prompt, TOTP code entry, and SMS code entry — with a dynamically loaded PHP module at js/module.php handling credential exfiltration through obfuscated JavaScript where element IDs, CSS class names, and function names are all randomized and the exfil endpoint itself is absent from the static HTML, pushed instead through the runtime bundle.

Three honeypot fields are injected into each form with CSS that pushes them off-screen and suppresses their dimensions, bot-detection scripts run before the first section is shown, and the page title reads simply "Connect your account" to avoid triggering keyword-based URL or content filters. The victim email address is pre-populated into the occ_container_954 span across every post-login section, meaning the kit received the target's address server-side before the page loaded, consistent with a link that encodes the target's identity in the long token path seen in the URL. A user who completed all prompts would have surrendered their password and whichever MFA credential was presented — TOTP code, SMS code, or an Authenticator push approval — making session-token theft viable even against accounts with MFA enforced, and the infrastructure domain canycomcanycom[.]com bears no relation to any Microsoft property, though the page content is engineered to give a victim no visual signal of that mismatch.

A credential-harvesting page impersonating Microsoft 365 targeted a Florida organization, walking victims through a complete multi-stage authentication flow — email entry, password, MFA code, SMS OTP, and Authenticator app number-matching — to capture both primary credentials and live session tokens. Detections occurred on April 30, 2026, with three observed events suggesting a targeted delivery rather than a broad spray. The page is served from nationelbuild[.]co.uk under a finance-themed subdirectory path, and credential submissions are handled by obfuscated JavaScript loaded from randomized-filename modules (7sNPBpPamdPnD5Q.js, VSBjdYWDf2e1BVFZ.js, lMXu7FPZAYvp2N5KuZg.js) whose exfiltration endpoint is deliberately withheld from the static HTML — meaning the POST target cannot be confirmed without executing those scripts.

The page implements several defensive countermeasures visible in the HTML itself: CSS-rendered class names are randomized on every build, text strings critical to email-scanner fingerprinting (link labels, button text, footer copy) are fragmented with empty bold tags to defeat pattern matching, a honeypot field styled off-screen traps automated form-fillers, and a PageValidator bot-detection script gates the main content behind a human-verification check before rendering. The victim's email address is pre-populated in every subsequent panel after initial entry, a technique that reduces visible friction and increases the likelihood a user completes all MFA steps, with the final redirect value base64-encoded in the page config pointing to outlook[.]office[.]com — making the completed session handoff appear indistinguishable from a legitimate sign-in to the end user.

A tech-support scam page impersonating Microsoft Windows Defender and Facebook targeted Florida, Georgia, Kentucky and Minnesota organizations, combining fake virus alerts with a credential-harvesting login form to coerce victims into calling an attacker-controlled phone number (+1-844-486-0643) or surrendering credentials. Detections occurred on April 23, 2026, April 24, 2026, April 28, 2026, and April 29, 2026, totaling 17 separate events across those four days. The primary credential-capture mechanism is an on-page HTML form with action="#" whose submitted values are processed by js/main.js — the exfiltration destination is not exposed in the static HTML, meaning the actual POST target or fetch() call lives in that external script, a deliberate separation that keeps the endpoint out of view-source analysis.

The page layers several pressure techniques drawn directly from the markup: looping audio (beep.mp3 and eng.mp3) triggered on any click via requestPointerLock(), a fake Microsoft Defender scanning animation reporting fabricated threat names such as "Trojan.Dropper.Autoit" and "PUP.Optional.RelevantK," a Facebook account-suspension modal whose Accept and Ignore buttons both fire TrackConversion(Lead), and a scrolling marquee repeating theft warnings — all of which are designed to keep a user too panicked to close the tab.

The page is served from Azure Blob Storage (storead16951b8943.blob.core.windows.net), and a third-party tracking script is loaded from sportserty[.]lol with InitTracking({ source: 'facebook' }), indicating the operators are measuring conversion traffic attributed to a Facebook delivery channel. For defenders, the combination of legitimate Azure hosting, an opaque external JS file holding the actual exfil logic, and a meta robots noindex,nofollow directive means the page is built to stay out of search-engine crawlers and generic URL reputation feeds while the Azure domain itself passes allowlist checks — so detections are more likely to come from user reports or endpoint telemetry than from URL-based filtering alone.

Related subdomain variants:

  • store122bb1755254.blob.core.windows[.]net
  • store15e53b6fa2e3.blob.core.windows[.]net
  • store20d2ce4d9517.blob.core.windows[.]net
  • store2ce0f308ecef.blob.core.windows[.]net
  • store524607df72fc.blob.core.windows[.]net
  • store60b4e07d1c00.blob.core.windows[.]net
  • store7d7433940ed1.blob.core.windows[.]net
  • store85e3c8366051.blob.core.windows[.]net
  • store9d9acf553c59.blob.core.windows[.]net
  • storead16951b8943.blob.core.windows[.]net
  • storeb3c7903ba17f.blob.core.windows[.]net
  • storebd6cde9db66b.blob.core.windows[.]net
  • storece7b65772079.blob.core.windows[.]net
  • storedfb451a8a6d3.blob.core.windows[.]net
  • storedzbfkf1k.blob.core.windows[.]net
  • storef6c07ffd4f9c.blob.core.windows[.]net
  • storeljik8st3.blob.core.windows[.]net

A credential-harvesting page impersonating Paperless Post deployed a multi-stage PHP kit targeting a Kentucky organization, presenting victims with a fake event-invitation lure and a menu of email-provider sign-in buttons covering Outlook, Office 365, Yahoo, Gmail, AOL, and a generic mail option. Activity was confined to April 27, 2026. The primary capture mechanism is a form POST to processmail[.]php on the attacker-controlled host bemyguests[.]one, where submitted credentials are relayed server-side; the kit then deliberately returns an "Incorrect Password" response on the first submission, forcing the victim to re-enter credentials under the assumption they mistyped, which produces a second POST before the modal advances.

After that two-pass credential collection, a secondary modal prompts the victim for an OTP with a visible countdown timer, posting the token to process[.]php on the same host, meaning the kit is designed to capture both the account password and any time-based MFA code in sequence. The inviter-name field in the URL accepts an arbitrary name parameter and renders it with a typing animation, giving the operator a trivial mechanism to personalize each phishing link without changing any page infrastructure, a detail that erodes the reliability of URL-pattern-based detections and raises the social plausibility of each individual delivery.

A credential-harvesting page impersonating Yahoo Mail targeted a Kentucky organization, presenting a pixel-accurate clone of the Yahoo sign-in flow hosted at dn6z5nh3p3t.jahutche[.]cyou. Activity was confined to April 24, 2026, with a single observed event. The page renders a standard username-first form whose POST action resolves within the kit's own infrastructure rather than login.yahoo[.]com, meaning credentials entered by the victim travel to the attacker before any legitimate Yahoo session is involved.

The HTML includes a pre-populated browser fingerprint payload in a hidden field named browser-fp-data, capturing display resolution, timezone, hardware concurrency, installed fonts, WebGL renderer, and canvas hash on page load — a passive profiling step that gives the operator a detailed picture of each victim's environment without requiring any interaction beyond the page rendering. The referrer baked into the page's analytics configuration points to 713ab8a0.74c145f740208e35136d83f2.workers[.]dev, a Cloudflare Workers subdomain, indicating the victim arrived through at least one intermediary redirect layer hosted on legitimate Cloudflare infrastructure before landing on the final harvest page.

For defenders, the combination of a plausible brand clone, passive fingerprinting, and a Cloudflare-fronted redirect chain means URL reputation feeds are likely to rate the delivery hop clean at the moment of click, making the phishing link's presence in email headers or proxy logs the more reliable detection surface than any downstream block on the harvest domain itself.

A credential-harvesting page impersonating the Microsoft 365 sign-in experience targeted a Kentucky organization, presenting a pixel-faithful replica of the Entra ID ConvergedSignIn flow, including functional GitHub federated identity provider routing and a fully populated international phone-code list consistent with AiTM proxy kits that clone live Microsoft authentication infrastructure. Detections occurred on April 23, 2026 and April 24, 2026, producing two observed events across the two-day window. Credential submission is directed to the POST endpoint at log1nhzkivbmlfm6lwmkc3e0afpak7.portal.pacifcprime[.]com/common/login, a subdomain of the actor-controlled domain pacifcprime[.]com — a typosquat on the legitimate insurance broker pacificprime[.]com — with the entire OAuth 2.0 flow, including state tokens, flow tokens, session context, FIDO challenge issuance, and BSSSO cookie handling, replicated in the page's $Config object to sustain a convincing interactive session rather than a static lure.

The infrastructure extends across at least three actor-controlled subdomains on the same registrant domain, handling the MSA authorization endpoint at srvg28vpr3hrshoirdxcagefxisj.portal.pacifcprime[.]com, the post-authentication landing redirect at synccgatv0mzanmqv3p9yypzhqdfwvdap0lu.portal.pacifcprime[.]com, and the password reset relay at profol4bf8ooncx4ka43daicbjqii6mj.portal.pacifcprime[.]com, indicating a purpose-built multi-subdomain proxy infrastructure rather than a simple static phishing page. The depth of OAuth state replication — live nonces, canary tokens, cross-domain EPCT artifacts, and a real FIDO assertion challenge signed by login.microsoft[.]com embedded in the page — means a user who authenticates will produce a session token that the proxy can relay forward, bypassing MFA entirely, which makes this campaign resistant to the standard user-awareness signal of "the URL looks wrong."

A credential-harvesting page impersonating Microsoft 365 targeted a Kentucky organization, presenting a full multi-stage login flow — email collection, password entry, and MFA capture — built on what appears to be a custom PHP-backed phishing kit. Activity was confined to April 23, 2026. The page renders a pre-populated victim email address across every stage, confirming the target was identified before the link was delivered, and collects credentials through form submissions handled by obfuscated JavaScript loaded from two local scripts (js/YZ41Ojw4PQgjV96.js and js/rGgUEzGLTkhniMOC.js) whose randomized, base64-encoded configuration maps — visible in window.var_options_509 and window.var_utils_937 — conceal form field IDs, section names, and the exfiltration routing from static inspection.

Beyond the password stage, the kit presents three distinct MFA intercept screens covering Microsoft Authenticator push notifications with a hardcoded number-matching value of 50, TOTP code entry, and SMS code entry with a partially masked phone number, meaning the operator can capture whichever second factor the victim has enrolled. The hosting domain wernereumdnterprises[.]vu combines what reads as a mangled legitimate business name with a .vu country-code TLD, and the long randomized path token in the URL functions as a per-victim identifier that ties the session to the operator's backend and limits replay by crawlers or scanners. For defenders, the pre-filled email and the MFA collection stages together indicate this page was sent to a known target whose identity the operator already held, and a user arriving at a password prompt with their email address already displayed has one fewer visual signal that anything is wrong.

Recommendations

  • Deploy proxy and DNS monitoring rules that alert on non-Microsoft hosts replicating Azure AD OAuth flow paths — specifically any domain presenting `/common/login` POST endpoints, `$Config` objects containing `flowToken` or `FIDO` challenge JWTs, or subdomain structures that segment authorization, password-reset, and post-auth landing across separate actor-controlled hostnames, all patterns confirmed in the pacifcprime[.]com and acsgroupus[.]com campaigns.
  • Configure network controls to detect and alert on the two-phase PHP POST sequence — credentials to `processmail.php` followed by OTP tokens to `process.php` — observed across the gpuux[.]vu, opendpartyviewfo[.]net, sysop[.]vu, and bemyguests[.]one incidents; this traffic pattern is detectable at the proxy layer regardless of whether the landing page evades content categorization, and its presence in egress logs is a reliable indicator that a victim has completed at least one credential submission.
  • Extend URL inspection to browser-initiated requests beyond email delivery — specifically paid-search click traffic — because the on-forge[.]com campaign used Google Ads tracking parameters (`gad_source`, `gclid`) to deliver phishing pages directly to users searching for IT support, a delivery path that bypasses email gateways and link-scanning controls entirely; organizations should ensure DNS or proxy telemetry captures search-referred navigations to newly registered or low-reputation domains presenting login forms.
  • Train users to recognize that a legitimate browser tab is incapable of generating Windows Firewall alerts, System32 password prompts, or SmartScreen lock overlays, because both the z13.web.core.windows[.]net and blob.core.windows[.]net campaigns weaponized fabricated OS-level dialogs rendered entirely in HTML and CSS — including hidden mouse cursors and looping audio — to manufacture urgency; a user who understands this architectural boundary will not be moved by scareware overlays regardless of their visual fidelity.
  • For organizations where GoGuardian or equivalent K-12 content-filtering agents are deployed, treat filter telemetry as an active detection surface rather than a passive control: the tkburgers[.]com and acsgroupus[.]com pages loaded and rendered fully inside GoGuardian-managed browser sessions, meaning the filter did not block delivery, but the session logs generated by those agent scripts represent the highest-fidelity record of which device and user account reached the phishing page.
  • Conduct targeted awareness exercises around pre-populated email fields specifically, because seven of the observed campaigns — including tewjpchosolutions[.]vu, authlnk[.]com, wernereumdnterprises[.]vu, and canycomcanycom[.]com — rendered the victim's own address in a read-only field before the password prompt, a deliberate technique that substitutes a false familiarity signal for the URL authenticity check most users skip; staff should be trained that seeing their email address already filled in is not evidence the page is legitimate and is in fact a consistent feature of personalized phishing kits.
  • Implement conditional-access policies requiring phishing-resistant authentication (FIDO2 hardware keys or certificate-based auth) for Microsoft 365 access, because the full MFA-harvesting flows observed in nationelbuild.co[.]uk, canycomcanycom[.]com, wernereumdnterprises[.]vu, and the pacifcprime[.]com AiTM proxy demonstrate that TOTP codes, SMS OTPs, and Authenticator push approvals are all within the attacker's capture scope when a victim completes a phishing flow — phishing-resistant factors are the only second-factor class these kits cannot intercept.

Learn how PhishID can help protect your district from cutting-edge threats like these! Schedule a Demo

Related Content

All Resources
Phish Wire - April 27, 2026

Between April 09, 2026 and April 22, 2026, analysts identified a highly sophisticated phishing...

Phish Wire - December 22, 2025

Between December 06 and December 18, 2025, analysts identified a sophisticated phishing campaign...

Phish Wire - April 13, 2026

Between March 26, 2026 and April 08, 2026, analysts identified a diverse campaign of 18 phishing...

Phish Wire - December 8, 2025

The last two weeks have experienced an increase in spearphishing targeting corporate users on their...