Skip to content

Unmasking a Sophisticated Phishing Campaign against K12 Schools

A deep-dive investigation into a multi-tier threat actor ecosystem operating one of the longest-running phishing campaigns targeting K12 schools. We uncovered a sophisticated phishing campaign abusing Azure Blob Storage infrastructure to impersonate Microsoft services. Through analysis of 480 incidents and 26 authentic HTML samples, we identified a multi-tier threat actor employing advanced behavioral tracking and operating distributed phone scam networks.

Figure_1_Campaign_Timeline_Visualization

Key Findings

Campaign Scale: 480 total incidents spanning 578 days

Azure infrastructure abuse: Systematic exploitation of *.web.core.windows[.]net domains

Recent Activity: August 2025 with coordinated LuckyOrange training deployment

Multi-Tier Threat Actor Attribution

Figure_2_Threat_Actor_Hierarchy

Primary Threat Actor (Advanced Tracking Group)

  • LuckyOrange Site ID: 45acXXXX (11 incidents)
  • Google Analytics: G-RRSK58XXXX
  • Primary phone: +1-844-XXX-2514 (36 instances)
  • Victim geolocation: ipwho.is API Integration
  • Backup call center: +1-888-XXX-8848

Secondary Operations (866 Prefix Group)

  • Primary phone: +1-866-XXX-4179 (21 instances)
  • Secondary phone: +1-866-XXX-4640 (14 instances)
  • Basic Google Analytics tracking
  • Volume-based phone scam operations

Affiliate Network

  • Six (6+) distributed call centers using 855, 844, 877, 833 prefixes
  • Shared template infrastructure (tapa.css, fluctuate animations)
  • Coordinated deployment patterns

Technical Analysis

Behavioral Tracking Infrastructure

The primary threat actor employs a sophisticated victim tracking:

Figure_3_LuckyOrange_Site_ID

Template Sharing Analysis

Figure_4_Side-by-side_comparison_CSS

  • 14 samples: Use identical CSS template (tapa.css)
  • 11 samples: Implement fluctuate animation keyframes
  • 16 samples: Utilize jQuery framework

Phone Scam Operations

Figure_5_Phone_Number_Distribution

  • Primary Tier: +1-844-XXX-2514 (36 instances)
  • Secondary Tier: +1-866-XXX-4179 (21 instances)
  • Affiliates: 6+ additional numbers

Conclusion

The investigation revealed a sophisticated threat actor ecosystem operating one of the longest-running phishing campaigns against K12 schools. The multi-tier attribution model creates actionable intelligence for threat hunting and defensive operations. The length of the campaign and advanced tracking infrastructure indicate a well-resourced, persistent threat actor likely generating significant revenue through phone scam monetization.

Want to ensure your school system can stay ahead of increasingly sophisticated phishing attacks? Learn more about how your district can benefit from PhishID!