Unmasking a Sophisticated Phishing Campaign against K12 Schools

A deep-dive investigation into a multi-tier threat actor ecosystem operating one of the longest-running phishing campaigns targeting K12 schools. We uncovered a sophisticated phishing campaign abusing Azure Blob Storage infrastructure to impersonate Microsoft services. Through analysis of 480 incidents and 26 authentic HTML samples, we identified a multi-tier threat actor employing advanced behavioral tracking and operating distributed phone scam networks.
Key Findings
Campaign Scale: 480 total incidents spanning 578 days
Azure infrastructure abuse: Systematic exploitation of *.web.core.windows[.]net domains
Recent Activity: August 2025 with coordinated LuckyOrange training deployment
Multi-Tier Threat Actor Attribution
Primary Threat Actor (Advanced Tracking Group)
- LuckyOrange Site ID: 45acXXXX (11 incidents)
- Google Analytics: G-RRSK58XXXX
- Primary phone: +1-844-XXX-2514 (36 instances)
- Victim geolocation: ipwho.is API Integration
- Backup call center: +1-888-XXX-8848
Secondary Operations (866 Prefix Group)
- Primary phone: +1-866-XXX-4179 (21 instances)
- Secondary phone: +1-866-XXX-4640 (14 instances)
- Basic Google Analytics tracking
- Volume-based phone scam operations
Affiliate Network
- Six (6+) distributed call centers using 855, 844, 877, 833 prefixes
- Shared template infrastructure (tapa.css, fluctuate animations)
- Coordinated deployment patterns
Technical Analysis
Behavioral Tracking Infrastructure
The primary threat actor employs a sophisticated victim tracking:
Template Sharing Analysis
- 14 samples: Use identical CSS template (tapa.css)
- 11 samples: Implement fluctuate animation keyframes
- 16 samples: Utilize jQuery framework
Phone Scam Operations
- Primary Tier: +1-844-XXX-2514 (36 instances)
- Secondary Tier: +1-866-XXX-4179 (21 instances)
- Affiliates: 6+ additional numbers
Conclusion
The investigation revealed a sophisticated threat actor ecosystem operating one of the longest-running phishing campaigns against K12 schools. The multi-tier attribution model creates actionable intelligence for threat hunting and defensive operations. The length of the campaign and advanced tracking infrastructure indicate a well-resourced, persistent threat actor likely generating significant revenue through phone scam monetization.
Want to ensure your school system can stay ahead of increasingly sophisticated phishing attacks? Learn more about how your district can benefit from PhishID!