Phish Wire - November 11 2025

  • Published on Nov 25, 2025
  • 12 minute(s) read
Prev Next

Between October 25, 2025, and November 06, 2025, analysts identified a sustained phishing campaign characterized by sophisticated Microsoft authentication impersonation tactics, with threat actors employing advanced evasion techniques including extensive CSS class name obfuscation, hidden span elements for content dilution, and base64-encoded exfiltration endpoints.

The campaign demonstrated notable technical sophistication through multi-stage credential harvesting with MFA bypass capabilities, real-time 2FA token collection, WebAuthn/FIDO2 simulation, and comprehensive OAuth2 parameter replication targeting Microsoft, Adobe, and banking services. Threat actors leveraged diverse infrastructure, including compromised legitimate domains, Azure Blob Storage abuse, IPFS decentralized hosting, and suspicious domains with hexadecimal subdomain patterns, while implementing advanced anti-analysis measures such as clipboard hijacking, cursor manipulation, and dynamic JavaScript obfuscation.

The incidents revealed an emerging trend toward hybrid social engineering, combining traditional credential theft with tech support scams that use audio alerts and fake security warnings to manipulate victims into direct contact, rather than relying solely on automated harvesting. This campaign represents a significant escalation in phishing kit sophistication, with threat actors demonstrating advanced technical capabilities in authentication bypass, infrastructure diversification, and multi-vector attack methodologies that pose elevated risks to organizations using Microsoft 365 and cloud-based authentication systems.

  • 05b6a43eadf94b1f88776d362a234f8a[.]mukyza[.]biz/?ey7Kr=3HTbmC&L4DhLPy=ff...

  • eborkuhwenoopdsawefcvbhytgnjaszcvbnm[.]net/kimj/caswed/paperlesscountdown/ (2 variants)

  • invincibly[.]com/bma/subbma/?srthw456y4=5134f28a-a87f-48c5-b233-f244104d... (2 variants)

  • winixconstruct[.]store/Economical/constructive/project093/qwzRFmaHreknLc...

  • arcadiasedge[.]site/circuitnova/qwI0zeDn3pvxLW9EA6hgEaDjeNzyKfAjiLeX#Gma...

  • ipfs[.]io/ipfs/bafkreihktulfjzft6zv5hwcb6hlfxdviscj7ztbcqeszplewelamqrkp...

  • 415valthrenor[.]site/1/?azzth=175b614e843a847532&uclick=h93z6j&uclickhas...

  • flladv[.]com[.]br/imagens/

  • uuuussssaaa10301025[.]blob[.]core[.]windows[.]net/connect/index[.]html

  • employeeservice[.]online/password[.]php (4 variants)

  • uptime[.]jodrusou[.]sa[.]com/ukfxo1c2g8?b98554e33ed7493-c38cb4045a9974b6...

  • tulanewelcoing[.]de/PHASE/AcrobatN/

On November 05, 2025, an employee at a Washington organization clicked the phishing page below.

This phishing page captures credentials via form submissions to multiple malicious endpoints hosted on the "mukyza.biz" domain, specifically targeting Microsoft authentication flows via POST requests to URLs such as "https://05b6a43eadf94b1f88776d362a234f8a.mukyza[.]biz/common/login" and related OAuth2 endpoints. The attack demonstrates moderate sophistication through a comprehensive Microsoft login interface mimicry, including extensive JavaScript configuration that replicates legitimate Azure AD/Microsoft 365 authentication parameters, FIDO2/passkey support simulation, and multi-factor authentication collection capabilities with SMS country code data and authenticator app integration.

The infrastructure uses a suspicious domain with hexadecimal-pattern subdomains and implements multiple fallback mechanisms, desktop SSO probing, and session state management to mirror authentic Microsoft authentication experiences closely. The page includes advanced features such as WebAuthn/FIDO challenge generation, OAuth state parameters, and comprehensive error handling, indicating it is likely part of a sophisticated phishing kit designed to bypass modern authentication protections and collect both passwords and MFA tokens in real time.

On November 05, 2025, an employee at a Minnesota organization clicked the phishing page below.

This phishing kit employs a multi-stage credential-harvesting technique that initially submits credentials via a form POST to "processmail.php" and subsequently collects OTP tokens via "process.php", thereby implementing a sophisticated two-factor authentication bypass. The attack impersonates Adobe's "greenvelope" invitation service while specifically targeting multiple email providers (Outlook, Office 365, Yahoo, AOL) through branded authentication buttons, uses deliberate "incorrect password" error messaging to create authenticity, and implements a 5-minute countdown timer with loading animations during the OTP collection phase to simulate legitimate 2FA processes.

The kit is hosted on a suspicious domain with a randomized subdomain structure (eborkuhwenoopdsawefcvbhytgnjaszcvbnm.net) and demonstrates moderate sophistication through its staged authentication flow, provider-specific branding, and realistic error handling. Notable elements include the use of legitimate CDN resources (Bootstrap, FontAwesome, jQuery) for credibility and the presence of third-party tracking/analytics code injected into the page, suggesting this may be part of a larger phishing-as-a-service operation.


Additional similar attacks were clicked:

  • eborkuhwenoopdsawefcvbhytgnjaszcvbnm[.]net/uytr/swpm/paperlesscountdown/

On November 03, 2025, an employee at an Illinois organization clicked the phishing page below.

This phishing page uses a standard HTML form-based credential-capture mechanism targeting what appears to be a Canadian bank (indicated by "BMA" in the URL path and CDIC member references), though the actual form submission endpoint is not visible in the provided HTML snippet.

The page demonstrates moderate sophistication through several notable TTPs: it uses a tracking parameter in the URL ("srthw456y4=5134f28a-a87f-48c5-b233-f244104dde255134f28a-a87f-48c5-b233-f244104dde25") that contains what appears to be a duplicated UUID for session tracking or victim identification, implements social engineering through detailed visual mimicry including authentic-looking security messaging ("Your security always comes first"), and includes French language support ("FR" in header) to target French-Canadian banking customers.

The page is hosted on a compromised or abused legitimate domain (invincibly.com) rather than a lookalike banking domain. It includes external JavaScript ("assets/js/app.js"), which likely contains the actual credential exfiltration logic not visible in this HTML fragment. The sophistication level is moderate due to the professional visual design, multi-language support, and session tracking capabilities. However, without seeing the JavaScript payload, the full technical implementation of credential theft remains unclear.

On November 03, 2025, an employee at a Georgia organization clicked the phishing page below.

This phishing page uses a standard HTML form submission method for credential capture, though the specific POST endpoint is not visible in the provided HTML fragment. The page employs several notable evasion techniques, including extensive text obfuscation using hidden spans with the class "ZdkXm" that insert "ASVPdM" strings throughout legitimate text to break up readable content, hidden motivational quotes scattered throughout the HTML to dilute suspicious keywords, and what appears to be Microsoft login page impersonation with authentic-looking styling and branding elements, including a base64-encoded logo.

The infrastructure appears to be hosted on a suspicious domain, "winixconstruct.store," with an extremely long URL containing multiple obfuscated parameters, and the page includes the CryptoJS library loading, which could indicate client-side encryption or additional obfuscation capabilities. The sophistication level is moderate, using multiple layers of text obfuscation and visual mimicry of legitimate Microsoft authentication flows. However, it relies on relatively basic form-based credential collection rather than advanced techniques such as real-time proxying or API exploitation.

On November 03, 2025, an employee at a Florida organization clicked the phishing page below.

This phishing page uses a basic HTML form that would POST credentials to a server endpoint (though the actual submission URL is obfuscated in the provided HTML fragment), impersonating Microsoft's login interface with sophisticated visual mimicry including authentic-looking CSS styling, proper Microsoft branding, and realistic form elements for email and password capture. The page employs several notable evasion techniques including extensive CSS class name obfuscation (randomly generated IDs like "QPjtmBZw", "nJJTdHDS"), anti-copy protection through hidden span elements with the class "GG7743n" that insert invisible characters into text selections to break automated analysis, and what appears to be base64 encoded data (visible in the qHDmV8n input field with value "aHR0cHM6Ly9tYWNyby5pcG9saWNlc3VwcGx5LmNvbS8=").

The sophistication level is moderate to advanced due to the anti-analysis measures and the pre-filled victim email address visible in the URL fragment (redacted@emailaddress.org), indicating this is a targeted attack with personalized elements. The page includes realistic Microsoft UI elements, loading animations, and "remember me" functionality to appear legitimate, while the extensive use of hidden motivational quotes throughout the HTML suggests a technique to inflate page size and potentially evade content-based detection systems.

On November 01, 2025, an employee at a Texas organization clicked the phishing page below.

Looking at this phishing page, the HTML content is incomplete and appears to contain only CSS styling, without any visible forms, JavaScript code, or mechanisms for credential capture. The page uses the title "Sign in to your account" and employs Microsoft's Segoe UI font family with styling that mimics Microsoft's design language, suggesting brand impersonation of Microsoft services.

The page is hosted on IPFS (InterPlanetary File System) at ipfs.io, a legitimate decentralized storage network that is being abused for malicious purposes. It includes an email parameter (redacted@emailaddress.com) in the URL fragment for potential personalization. Without the actual form elements, JavaScript code, or submission mechanisms visible in the provided HTML, I cannot determine the specific credential-capture method. However, the Microsoft-mimicking design and IPFS hosting indicate a basic to moderate level of sophistication for initial victim deception. The incomplete HTML suggests this may be a dynamically loaded page, or the critical capture components are missing from the provided code sample.

On October 30, 2025, an employee at a Minnesota organization clicked the phishing page below.

This phishing page employs a fake Windows security warning scam that uses audio alerts, cursor manipulation (style="cursor:none"), and multiple overlapping popup dialogs to create urgency and prevent users from easily closing the page. Still, it does not appear to contain any actual credential capture forms or JavaScript exfiltration code - instead it relies on social engineering to trick users into calling the prominently displayed phone number "+1 (877) 674-3260".

The page uses sophisticated presentation techniques, including real-time IP geolocation display via the apiip.net API, auto-playing warning sounds, animated scanning progress bars, and fake threat counts (showing "1,200 identified threats") to create authenticity and urgency. Notable evasion techniques include preventing page unloading with onbeforeunload="return myFunction()", multiple layers of fake security dialogs that reappear when clicked, and integrating a legitimate Tawk.to chat service to add credibility. The sophistication level is moderate - while it lacks actual credential-harvesting mechanisms, it demonstrates advanced social engineering, including realistic Windows Defender interface mimicry, dynamic content loading, and multiple psychological pressure techniques designed to manipulate victims into initiating contact rather than stealing credentials directly.

On October 30, 2025, an employee at a Florida organization clicked the phishing page below.

This phishing page employs a sophisticated Microsoft login impersonation that captures credentials through form submission to a base64-encoded endpoint (aHR0cHM6Ly9ub3ZyYWUubXl0aXMucnUvODE5MDczMDgzMC5waHA, which decodes to novrae.mytis[.]ru/8190730830[.]php), indicating credential exfiltration to a Russian domain. The page implements advanced evasion techniques, including extensive CSS class name obfuscation (cvwf41j1 strings scattered throughout the text to evade automated detection), hidden spans containing health-related content to dilute analysis, and sophisticated visual mimicry of Microsoft's authentication interface using legitimate Microsoft CDN resources and authentic styling.

The site demonstrates moderate to advanced sophistication through its multi-layered obfuscation strategy, realistic replication of Microsoft branding with proper fonts and color schemes, and the use of what appears to be a compromised Brazilian law firm domain (flladv.com[.]br) as its hosting infrastructure. Most notably, the extensive use of hidden spam content about health topics and the systematic insertion of random strings throughout legitimate UI text suggest an attempt to evade both automated security tools and manual analysis while maintaining visual authenticity for victims.

On October 30, 2025, an employee at a Minnesota organization clicked the phishing page below.

This phishing page does not contain any visible credential capture mechanisms in the provided HTML - there are login forms present, but no form action URLs or JavaScript functions that would actually exfiltrate the entered credentials, suggesting the capture logic may be in the numerous obfuscated external JavaScript files (nde1gUNmGz1X.js, WndfuWIhduGjd.html, etc.).

The page employs sophisticated social engineering tactics including fake Windows Defender security alerts with urgency language ("CRITICAL ALERT", "IMMEDIATE ACTION REQUIRED"), impersonates Microsoft branding throughout, displays a fake IP address (45.176.47.234), includes multiple audio files for alarm sounds, and uses advanced UI manipulation with overlay elements and mouse cursor disabling (cursor:none) to create a convincing system lockout scenario.

The infrastructure leverages Azure Blob Storage (uuuussssaaa10301025.blob.core.windows[.]net) for hosting and integrates Tawk.to live chat functionality, while the page attempts to prevent users from leaving through onbeforeunload events and multiple popup dialogs. The sophistication is moderate to advanced given the multi-layered social engineering, professional UI design mimicking Windows security interfaces, and the technical complexity of the user interaction controls, though the actual credential theft mechanism requires analysis of the external JavaScript files to fully assess.

On October 28, 2025, an employee at a Kentucky organization clicked the below phishing page.

This phishing page uses a basic HTML form that POSTs credential data to "success.php" on the same domain (employeeservice[.]online). The page impersonates Microsoft, using a legitimate-looking Microsoft logo (embedded as base64 data), and uses professional styling with Microsoft's Segoe UI font family to create visual authenticity. The infrastructure appears to use a dedicated phishing domain rather than compromised legitimate services, and the page includes extensive CSS from what appears to be browser extension interference or analytics tracking (multiple style blocks with obfuscated class names like "CHyAgqPbx_yuoH5uy3fA"). This represents a basic to moderate level of sophistication, with standard form-based credential capture, brand impersonation through visual design, and a clean, professional appearance that instills trust. Still, it lacks advanced techniques such as real-time validation, JavaScript exfiltration, or anti-analysis measures.

On October 28, 2025, an employee at a Kentucky organization clicked the phishing page below.

This phishing page uses a heavily obfuscated JavaScript payload stored in a base64-encoded variable `xi` that appears to contain the actual credential capture mechanism, though the specific exfiltration method cannot be determined from the encoded content alone. The page implements several evasion techniques including clipboard hijacking (replaces copied text with "h"), hidden content with fake loading messages, and extensive code obfuscation to hide its true functionality from analysis. The page is hosted on what appears to be a compromised or malicious domain (jodrusou.sa[.]com) with voice mail theming as a social enginer lure, and includes anti-copy protection to prevent easy analysis of credentials or sensitive information. The sophistication level is moderate to advanced due to the extensive obfuscation and anti-analysis measures, though the actual credential capture mechanism remains hidden within the encoded JavaScript payload that would require further decoding to fully analyze.

On October 27, 2025, an employee at a Kentucky organization clicked the phishing page below.

This phishing page appears to be incomplete or in a loading state, as the HTML contains extensive CSS styling for what appears to be a legitimate educational technology platform (possibly Texthelp products, based on the CSS variables), but lacks any visible credential-capture forms or JavaScript functionality. The primary content consists entirely of CSS theme definitions with variables for different product themes (ReadWrite, Equatio, Browsealoud, etc.), suggesting this may be either a template file, a page that loads content dynamically via JavaScript that wasn't captured, or a sophisticated cloaking mechanism that only displays phishing content under specific conditions. The page is hosted on a suspicious domain (tulanewelcoing.de) that appears to be a typosquat for Tulane University, and the URL path "/PHASE/AcrobatN/" suggests it may be impersonating Adobe Acrobat services. Without visible forms, JavaScript credential-exfiltration code, or content-loading mechanisms, this represents either a basic template awaiting activation or a more sophisticated system that requires specific triggers to display its malicious payload.

Actions 

  • Implement URL filtering to detect and block newly registered domains and suspicious domain patterns, such as randomized subdomains or hexadecimal-pattern domains used in credential-harvesting campaigns.

  • Deploy email security controls to flag messages containing links to file-sharing services, blob storage, or IPFS hosting when sent from external sources, as these legitimate services are frequently abused for phishing infrastructure.

  • Configure web proxy filtering to detect and block POST requests to suspicious endpoints, such as newly registered domains with .php files or base64-encoded URLs that decode to foreign hosting infrastructure.

  • Enable conditional access policies that require device compliance and risk-based authentication for login attempts from unusual locations or when preceded by suspicious web traffic patterns.

  • Deploy user awareness training specifically focused on recognizing multi-factor authentication phishing techniques, fake security alerts with phone numbers, and Adobe invitation impersonation tactics observed in these campaigns.

  • Implement DNS monitoring to detect queries to suspicious domains with patterns such as excessive random characters, typosquatting of organizational names, or domains registered recently in high-risk TLDs.

  • Configure browser security policies to restrict JavaScript execution on untrusted domains and implement copy-paste monitoring alerts, as several incidents used clipboard hijacking and anti-analysis JavaScript obfuscation techniques.