Phish Wire - October 28 2025

  • Published on Nov 25, 2025
  • 3 minute(s) read
Prev Next

In mid-October, there were remarkably widespread phishing campaigns, with a single OneDrive phishing link clicked by over 70 users within 24 hours. These attacks were similar to those reported in September and early October, and they were hosted on Backblaze infrastructure. The campaigns exfiltrated detailed information about the victims. During this same period, there was also a surge in Attack-in-the-Middle (AiTM) phishing, which was hosted on legitimate infrastructure, as well as campaigns targeting e-commerce accounts on corporate devices. Here are some examples and highlights.

  • 25b7fe36940249929256d55ca102d65e[.]0--1[.]biz

  • news-3[.]kryvoex[.]onl

  • greetingstes[.]de

  • partieinvia[.]de

  • 1fbe59bdce8f457c90899860ac783d96[.]pennyhewitt[.]com

  • track[.]draipuhu[.]digital

  • divarshahr[.]com

  • home[.]eaprogram[.]org

  • f005[.]backblazeb2[.]com/file/seeeendeeed/onedr-updated.html

On October 24, more than 70 users from several Kentucky organizations clicked on the OneDrive phishing attack hosted on Backblaze.


This widespread attack is hosted on legitimate infrastructure, backblazeb2[.]com, including images loaded from storage.googleapis.com. Before exfiltrating credentials, the page fetches the client’s IP address and geo-location to enrich the data. A huge number of functions on the page are obfuscated with hex-based strings to conceal code and exfiltration logic from analysis.

Earlier attacks in October also leveraged legitimate infrastructure and were loaded with “Attack-in-the-Middle” (AiTM) MFA bypass tools. On October 9, a staff member at an Illinois organization clicked the Microsoft spear phish below.


The phishing page used a AiTM phishing kit and was hosted on Digital Ocean infrastructure. The attack operates across multiple subdomains of 0--1[.]biz, with the primary credential harvesting endpoint at 25b7fe36940249929256d55ca102d65e.0--1[.]biz. Other subdomains were used to carry out various authentication flows, some of which are illustrated below:

  • 25b7fe36940249929256d55ca102d65e.0--1.biz (landing, post endpoints, telemetry)

  • 6e90e4c858414793ad5226e441ef2930.0--1.biz (oauth20_authorize.srf, logout, “Sign up”)

  • 28737ebf8d514ca1b678e68a3840e034.0--1.biz (cancel/error redirects)

  • 269e22132a7a4d028877112376a18c9d.0--1.biz (fake “cdn” roots/bundles)

  • 41b87ad5971b41568c131bfb41e5351e.0--1.biz (alt cdn root)

  • a3394990777d457c9ee63d205a93d329.0--1.biz (“fwlink” look-alike)

  • 6108344e268a45738693586825f32444.0--1.biz (IWA SSO / edge redirect)

  • a6f89d750ab44ab1a73ede1e41b6f385.0--1.biz, aeb3fda06c01495e9f9f37c133642110.0--1.biz (reset flows)

On October 10, an employee at a Kentucky organization clicked the below Microsoft phishing attack.


The page prompts the user for MFA codes and uses multiple detection evasion techniques, such as splitting suspicious words into HTML elements, as shown below. 

  • “p<span>ass</span>w<span>or</span>d”, “Micr<span>osoft</span> Authenticator”, etc

On October 14, three Texas employees clicked the link in the Outlook phishing attack below.

This page was delivered via a likely "you're invited" Greenvelope lure page and includes multi-brand credential harvesting (Outlook/Gmail/Yahoo/AOL/etc.) and MFA bypass. It uses an OTP prompt combined with a timer to create more urgency, eg, “Time left: 4:53”, “You will receive an OTP within 1–5 minutes”, etc. 

On October 15, a similar Paperless post phishing attack was clicked by a Minnesota employee.


This “View Invitation” lure uses a Paperless Post message combined with a “select email provider” to hook its victim, complete with Outlook/Office 365/Gmail/Yahoo/AOL/“Other brand options and MFA bypass.


On October 15, another Texas employee clicked on the below Microsoft phishing attack.


This page also uses an OTP flow with a countdown to create a sense of urgency. Like others seen during this period, it involves dozens of subdomains of *[.]pennyhewitt[.]com to deploy various authentication functions like OAuth, fake password reset handling, fake FIDO/passkey handlers, and fake signup endpoints, among others.

On October 16, a staff member at a Kentucky organization clicked the below Microsoft phishing page.


The page included heavy client side obfuscation, with almost a megabyte of characters packed into a single variable const tw = "Ld03VJ…" and clipboard tampering to evade analysis. 

On October 16th, a Kentucky employee clicked on the below Microsoft phishing attack.


In addition to MFA code harvesting, the URL parameters include targeted information about the recipient's IP address and strongly suggest the use of QR codes via a "quishing" campaign "t=qr".

The same period also saw phishing campaigns targeting e-commerce accounts on corporate employees' work devices. On October 19, another Kentucky employee clicked the link in the Amazon phishing attack below.


The page includes MFA code capture and user tracking parameters in the URL, suggesting the use of targeted campaigns.

Actions 

  • Block the specified domains on corporate firewalls and endpoint security solutions.

  • Educate users about phishing risks even on pages that purport to use MFA

  • Remind users of phishing risks for their personal accounts they access even if they are on corporate devices

  • Enforce multi-factor authentication (MFA) on all corporate logins to reduce the risk of credential compromise.