Identity Automation Blog

Unmasking a Sophisticated Phishing Campaign against K12 Schools

Written by Identity Automation | Aug 27, 2025 4:34:25 PM

A deep-dive investigation into a multi-tier threat actor ecosystem operating one of the longest-running phishing campaigns targeting K12 schools. We uncovered a sophisticated phishing campaign abusing Azure Blob Storage infrastructure to impersonate Microsoft services. Through analysis of 480 incidents and 26 authentic HTML samples, we identified a multi-tier threat actor employing advanced behavioral tracking and operating distributed phone scam networks.

Key Findings

Campaign Scale: 480 total incidents spanning 578 days

Azure infrastructure abuse: Systematic exploitation of *.web.core.windows[.]net domains

Recent Activity: August 2025 with coordinated LuckyOrange training deployment

Multi-Tier Threat Actor Attribution

Primary Threat Actor (Advanced Tracking Group)

  • LuckyOrange Site ID: 45acXXXX (11 incidents)
  • Google Analytics: G-RRSK58XXXX
  • Primary phone: +1-844-XXX-2514 (36 instances)
  • Victim geolocation: ipwho.is API Integration
  • Backup call center: +1-888-XXX-8848

Secondary Operations (866 Prefix Group)

  • Primary phone: +1-866-XXX-4179 (21 instances)
  • Secondary phone: +1-866-XXX-4640 (14 instances)
  • Basic Google Analytics tracking
  • Volume-based phone scam operations

Affiliate Network

  • Six (6+) distributed call centers using 855, 844, 877, 833 prefixes
  • Shared template infrastructure (tapa.css, fluctuate animations)
  • Coordinated deployment patterns

Technical Analysis

Behavioral Tracking Infrastructure

The primary threat actor employs a sophisticated victim tracking:

Template Sharing Analysis

  • 14 samples: Use identical CSS template (tapa.css)
  • 11 samples: Implement fluctuate animation keyframes
  • 16 samples: Utilize jQuery framework

Phone Scam Operations

  • Primary Tier: +1-844-XXX-2514 (36 instances)
  • Secondary Tier: +1-866-XXX-4179 (21 instances)
  • Affiliates: 6+ additional numbers

Conclusion

The investigation revealed a sophisticated threat actor ecosystem operating one of the longest-running phishing campaigns against K12 schools. The multi-tier attribution model creates actionable intelligence for threat hunting and defensive operations. The length of the campaign and advanced tracking infrastructure indicate a well-resourced, persistent threat actor likely generating significant revenue through phone scam monetization.

Want to ensure your school system can stay ahead of increasingly sophisticated phishing attacks? Learn more about how your district can benefit from PhishID!
View full post