Phish Wire - March 18 2025

The past two weeks saw a record surge in zero-day spearphish targeting credentials from Microsoft and Outlook and personal e-commerce, streaming, and financial platforms like Amazon, Chase Bank, USAA, Paypal, and Netflix. Attackers employed sophisticated tactics, including delivering phishing links through file shares and leveraging legitimate cloud hosting services like Backblaze. Consequently, the majority of cases remained entirely undetected by vendors on VirusTotal. Below are key highlights and examples of recent phishing activity.

• lol[.]helivaroth[.]ru

• live[.]microsoftreviews[.]org

• cms-veps[.]com

• share1nvite[.]es

• authentication-logsid[.]jotacicli[.]com[.]br

• beddube[.]s3[.]us-east-005[.]backblazeb2[.]com

• r-0lm5-ld-k99z[.]com/chs/

• chicagoiron[.]com/USAA/login[.]html

• secureverisec[.]com

• prime-siginapps[.]ecsauthsgonl[.]website

• resolve-reportbillingnetflix-verificationcenter[.]cricketshoe[.]com

• office[.]brasbaitss[.]store

• v2k5c45hh7c[.]prenniumofs[.]com

• i9sro5j6psl[.]prenniumofs[.]com

• moreton[.]insurance42[.]site

• canvas[.]cloudquell[.]de

• websyncs[.]live/services[.]html

Microsoft and Outlook Credentials

A Microsoft credential harvester hosted on Backblaze infrastructure was clicked by a staff member at a Texas organization in early March, which was 100% undetected by VirusTotal vendors.

This credential harvester leveraged the reputation of a trusted cloud storage provider to remain undetected during this phishing attack. Earlier that week at the same organization, another staff member clicked the Outlook credential harvester in a document share application.

Another spearphish was clicked by three staff members at a Kentucky organization on Dec 9th.

Examples like this are difficult to detect with traditional security architecture because they are delivered and clicked outside the scope of corporate email protection. Overall, the period saw a record surge in clicks of zero-day credential harvesters targeting Microsoft credentials by users in Texas, Kentucky, Florida, Washington, and Idaho.

On March 12th, multiple users at a Washington organization clicked on phishing links hosted by the domain prenniumofs[.]com. Other Microsoft credential harvesters clicked during the same period were hosted on Russian infrastructure.

Financial Services Phishing

This period saw a record surge in zero-day phishing targeting financial services accounts like Chase, Paypal, and USAA.

Since these phishing links were delivered through personal email, they are outside the scope of corporate email protection. The PayPal phishing case includes several malicious scripts, a “vishing” component, and an attached error message: “Your account has been blocked due to some suspicious login attempts.” Cases like this scare recipients into taking action by claiming their accounts are threatened.

E-Commerce and Streaming Phishing

The same period saw a steady stream of Amazon and Netflix phishing targeting users in Florida and Kentucky.

Mitigations

• Block the specified domains on corporate firewalls and endpoint security solutions.

• Remind users of phishing risks for personal accounts they access, even if they are on district devices.

• Educate users to find the valid support number for their financial service institution via Google and not to call the number provided on an unverified site.

• Enforce multi-factor authentication (MFA) on all district logins to reduce the risk of credential compromise.