Phish Wire - September 30 2025

Phishing campaigns hosted on Backblaze infrastructure, which were active earlier in September, experienced a significant increase in intensity during the second half of the month. These campaigns involved credential exfiltration via Telegram and utilized lures related to purchase orders. Additionally, other widespread phishing attacks, affecting multiple organizations during this period, employed Attack in the Middle (AiTM) tools to exfiltrate two-factor authentication codes and session tokens in real time as users logged in. We also observed a notable rise in Microsoft scam scareware and phishing attempts targeting personal accounts, such as those of American Express and Netflix. Below are some examples and highlights.

• tronklamnsj5rdf4[.]z13[.]web[.]core[.]windows[.]net

• quinoa-sc2ddream[.]nagaisti[.]sa[.]com

• secure[.]formloaders[.]com

• login[.]beckleyrsvs[.]com

• ferlo[.]psitesinternal[.]com

• fdbn35fdhn[.]z13[.]web[.]core[.]windows[.]net/win[.]html

• ghch78hjvhj[.]z13[.]web[.]core[.]windows[.]net/win[.]html

• instantlyper[.]com

• organizationbush[.]shop

• 8e3138d0-2704-45a8-a76f-a0748981346d-00-2e8qjjpf3umir[.]janeway[.]replit[.]dev

• comejoinus[.]de/beepoint/AcrobatN/

• globalconfidentialprobook[.]us-southeast-1[.]linodeobjects[.]com

• f005[.]backblazeb2[.]com

Within 24 hours on September 23, phishing attacks hosted on the Backblaze domain were clicked by 10 users across half a dozen organizations in Kentucky and Minnesota.

Similar to those mentioned in the last report, these exfiltrated credentials on Telegram’s Bot API and leverage third party infrastructure for reputation and TLS. The lure references a shared file via OneDrive and the page itself references a PO order, likely targeting procurement personnel.

The campaign made use of a cluster of URLs hosted on the same domain, for example:

• f005[.]backblazeb2[.]com/file/soooodheeeded/onedr-updated[.]html

• f005[.]backblazeb2[.]com/file/asssrrrruuueeee/onedr-updated[.]html

Other phishing attacks during this period used legitimate third party storage. On September 19, an employee at a North Carolina organization clicked the below Microsoft phishing page.

Similar to the Backblaze example, this page is hosted on another cloud storage service, Linode Object Storage, again to leverage its reputation and TLS to bypass domain reputation filters. The page also has logic to detect headless tools and send them to a blank page, so that the page can avoid detection.

Another widespread campaign was first detected on September 16th, when a staff member at a Kentucky organization clicked the below Microsoft spear phish.

The page utilized Attack in the Middle (AiTM) phishing kits that relay the session to Microsoft while harvesting credentials and session cookies for MFA bypass. More sophisticated than most commodity AiTM phishing kits, this forcibly injects code into all JS set cookies that directly counters newer Chrome/Edge/Safari defenses against third-party cookies. Altogether, this phishing attack was clicked by 9 users in less than a day across 5 organizations.

It also makes use of a suite of subdomains to coordinate the attack across larger-scale infrastructure, following the below pattern:

newnewdomnew*[.]beckleyrsvs[.]com

The same period saw a major uptick in general Microsoft spear phish and scareware campaigns. On September 15, a staff member at a Minnesota school organization clicked the below Microsoft phishing attack.

This is a typical tech support scam. The page includes a phone-based scam, audio beeps, browser locks, and various attention-grabbing techniques designed to encourage users to take action and call the displayed number. Additionally, the page customizes its messages based on the user's location, for example, stating, “Your device has been blocked by the state of ___.”

The same day, a principal at an organization in Kentucky clicked on a Microsoft spear phish.

The page makes use of a long loader to placate the visitor while it acquires detailed device information, both to better target the user and to evade detection in the event it is being scanned by a security tool.

On September 16, a staff member at another Kentucky organization clicked the Microsoft phishing page shown below.

The page references a larger group of subdomains of *.formloaders.com, likely as part of a phishing kit generating disposable instances to evade domain blacklisting and reputation-based blocking.

50b8883cece74335ad4ed2c0d7e5fcef.formloaders[.]com

7fbf392b40364463bd1f4fcb152691ed.formloaders[.]com

It utilizes hidden scripts to automatically extract credentials before the user clicks the submit button.

On September 17, an employee at yet another Kentucky organization clicked the below Microsoft spear phish.

The URL uses tracking tokens for each recipient, and the page itself has the target's email pre-filled. The page redirects to the legitimate outlook.office.com after credentials are submitted, a common technique to avoid immediate suspicion.

The same day, an admin at the same organization clicked the below Microsoft scam.

This scareware page employed aggressive browser lock techniques, which disabled right-click functionality and keyboard controls, including blocking the F5 and Esc keys. Additionally, it utilized popular analytics tools such as Google Analytics and GoSquared to track conversions and optimize traffic sources.

A similar attack was clicked the same day by an admin at a Georgia organization.

The scam support number is personalized based on the user’s device IP and city. The same day, another admin at an Idaho district clicked another scareware variant.

This website was hosted on a standard web domain instead of Azure’s *.web[.]core[.]windows[.]net. It utilizes the apiip.net API to obtain visitor IP addresses and redirects users if their IP falls within a specific range. This measure appears to be aimed at concealing the site from web crawlers, which may suggest a potentially malicious advertising (malvertising) origin.

On September 18th, an employee at a Texas organization clicked the below Outlook phishing attack.

Similar to other American Express phishing pages, this one uses homoglyph characters (e.g., AmeriÑÉn á¬â²­press, UÑеr ID, etc.) to evade detection. The page also checks for a specific hash fragment in the URL; if it is not present, the request is redirected to a harmless page.

The same day, an employee at a Georgia organization clicked on the Netflix phishing attack.

The page makes use of .replit hosting for free TLS, uptime, and reputation. The URL uses clever encodings to conceal references to the legitimate Netflix page and uses detection techniques to redirect potential scanners to the legitimate Netflix domain.

Mitigations 

• Block the specified domains on corporate firewalls and endpoint security solutions.

• Educate users about phishing risks even on pages that purport to use MFA

• Remind users of phishing risks for their personal accounts that they access, even if they are on corporate devices

• Enforce multi-factor authentication (MFA) on all corporate logins to reduce the risk of credential compromise.