Unmasking a Sophisticated Phishing Campaign against K12 Schools

A deep-dive investigation into a multi-tier threat actor ecosystem operating one of the longest-running phishing campaigns targeting K12 schools. We uncovered a sophisticated phishing campaign abusing Azure Blob Storage infrastructure to impersonate Microsoft services. Through analysis of 480 incidents and 26 authentic HTML samples, we identified a multi-tier threat actor employing advanced behavioral tracking and operating distributed phone scam networks.

Figure_1_Campaign_Timeline_Visualization

Key Findings

Campaign Scale: 480 total incidents spanning 578 days

Azure infrastructure abuse: Systematic exploitation of *.web.core.windows[.]net domains

Recent Activity: August 2025 with coordinated LuckyOrange training deployment

Multi-Tier Threat Actor Attribution

Figure_2_Threat_Actor_Hierarchy

Primary Threat Actor (Advanced Tracking Group)

LuckyOrange Site ID: 45acXXXX (11 incidents)
Google Analytics: G-RRSK58XXXX
Primary phone: +1-844-XXX-2514 (36 instances)
Victim geolocation: ipwho.is API Integration
Backup call center: +1-888-XXX-8848

Secondary Operations (866 Prefix Group)

Primary phone: +1-866-XXX-4179 (21 instances)
Secondary phone: +1-866-XXX-4640 (14 instances)
Basic Google Analytics tracking
Volume-based phone scam operations

Affiliate Network

Six (6+) distributed call centers using 855, 844, 877, 833 prefixes
Shared template infrastructure (tapa.css, fluctuate animations)
Coordinated deployment patterns

Technical Analysis

Behavioral Tracking Infrastructure

The primary threat actor employs a sophisticated victim tracking:

Figure_3_LuckyOrange_Site_ID

Template Sharing Analysis

Figure_4_Side-by-side_comparison_CSS

14 samples: Use identical CSS template (tapa.css)
11 samples: Implement fluctuate animation keyframes
16 samples: Utilize jQuery framework

Phone Scam Operations

Figure_5_Phone_Number_Distribution

Primary Tier: +1-844-XXX-2514 (36 instances)
Secondary Tier: +1-866-XXX-4179 (21 instances)
Affiliates: 6+ additional numbers

Conclusion

The investigation revealed a sophisticated threat actor ecosystem operating one of the longest-running phishing campaigns against K12 schools. The multi-tier attribution model creates actionable intelligence for threat hunting and defensive operations. The length of the campaign and advanced tracking infrastructure indicate a well-resourced, persistent threat actor likely generating significant revenue through phone scam monetization.

Want to ensure your school system can stay ahead of increasingly sophisticated phishing attacks? Learn more about how your district can benefit from PhishID!

Aug 27, 2025

Unmasking a Sophisticated Phishing Campaign against K12 Schools

Key Findings

Multi-Tier Threat Actor Attribution

Primary Threat Actor (Advanced Tracking Group)

Secondary Operations (866 Prefix Group)

Affiliate Network

Technical Analysis

Behavioral Tracking Infrastructure

Template Sharing Analysis

Phone Scam Operations

Conclusion

Related Content

US Public School Districts Targeted: MFA Spear Phishing Campaigns On The Rise

Phishing Attack on K-12 Schools: How it Worked and How to Stay Safe

6 Ways K12 Student Accounts Pose A Growing Cybersecurity Risk—And How to Stop It With PhishID

Case Study: The Benefits of PhishID