Phish Wire - June 10 2025

At the end of May and during the first week of June 2025, there was a significant increase in zero-day phishing campaigns aimed at stealing school login credentials. Most of these attacks targeted Microsoft 365 (Outlook) accounts, while some campaigns impersonated Amazon and even U.S. government login services, such as ID.me for the IRS. The threat actors used advanced evasion techniques, including multi-layer code encryption, clipboard hijacking, and spoofing Microsoft’s own telemetry tools. These tactics allowed many credential harvesters to bypass traditional security filters. Here are some examples and highlights of these campaigns.

• py3zy[.]rzcpsgsgtl[.]ru

• 4qedv[.]nubelith[.]es

• manageapps[.]rkv[.]yeo[.]mybluehost[.]me

• alcornic[.]com

• bayviewsbuildermd[.]com

• y2h1ux[.]de

• oug1e[.]dzdyf[.]es

• managesecure[.]log-in[.]information-reactivate-statement[.]prime[.]vmr[.]jtu[.]mybluehost[.]me

• live.messages[.]landscapeeconomics[.]com

• dinerpro[.]info

Education Account Credential Phishing

On May 27th, a Texas user clicked the Microsoft spearphish below.

The attacker employed a layered decryption chain to obscure the phishing content from static analysis. On June 2, another user from Texas fell for the phishing attack below, which was hosted on a domain likely generated by the same algorithm.

Similar to the May 27th incident, it utilized multiple layers of decryption and also employed clipboard hijacking to complicate analysis. This was activated by two users in Texas on the same day.

On June 2nd, a Kentucky user clicked the spearphish below that perfectly mimicked Microsoft’s OAuth flow in the URL.

The HTML contains extensive Microsoft-branded meta data to obscure the core phishing logic. The attack was conducted by four different users on June 2nd and 3rd against several educational organizations in Kentucky.

The same day, three additional Kentucky users clicked the spearphish below, which included the spoofing of Microsoft’s internal telemetry reporting tool (Watson).

On June 4th, a user in Washington clicked a Microsoft spearphish that was hosted on a compromised domain, which was unwittingly hosting a phishing attack, making it difficult for reputation-based tools to detect.

The full URL mimics Microsoft’s OAuth 2.0 structure. The phishing attack also utilizes device fingerprinting for future targeting.

ID.me / IRS Account Phish

On June 4th, a Kentucky user clicked a phishing page impersonating an ID.me government login for IRS verification.

Similar reported phishing attacks by Aobnormal (https://intelligence.abnormal.ai/attack-library/threat-actors-impersonate-irs-and-id-me-in-sophisticated-phishing-attempt) are delivered via emails prompting users to “verify now” to avoid losing access to IRS services. The attack not only requests ID.me credentials but also additional personal data, including Social Security Number, date of birth, and even IRS-specific identifiers such as CAF and PTIN numbers. Had the attack been successful, the attacker could commit identity theft, file fraudulent tax returns, or use the stolen data for broader attacks involving MFA bypass.

Amazon and Multi-Brand Phishing

The same period saw an uptick of Amazon phishing targeting personal user accounts on work devices that were hosted on the same mybluehost[.]me domain as noted in earlier reports. Below are two examples that users in Ohio and Kentucky clicked.

The full URL in the last example includes keywords such as "reactivate" and "Prime," strongly suggesting a scam related to Amazon Prime membership—likely a fake alert indicating that a Prime account has been suspended or requires updating.

On May 31st, a Kentucky user opened a multi-brand phishing attack via an Adobe fileshare.

This attack targeted numerous credential types and included an MFA phishing stage after password credentials were harvested.

Mitigations

• Block the specified domains on corporate firewalls and endpoint security solutions.

• Educate users about phishing risks in file-sharing applications outside email, like Adobe 

• Remind users of phishing risks for their personal accounts that they access even if they are on corporate devices

• Enforce multi-factor authentication (MFA) on all corporate logins to reduce the risk of credential compromise.