Phish Wire - Mar 4 2025

In the past few weeks, we observed a rise in phishing activity targeting Microsoft, Google, and Yahoo accounts. Attackers leveraged techniques to flank corporate email protection, like using non-email messenger apps and filesharing tools. They also put geographically targeted content into the URLs to increase their credibility to their target organizations. Below are key highlights and examples.

• yc[.]mangropo[.]ru/RRMXKEXBJGRwc1rxzs03tm6y?PYHYYCKWANKEAJBW

• kyschools[.]hostingclouddocs[.]com/aFS2u/

• office365[.]dicoveryeducation[.]com/learn/videos/b4e519a8-c021-463a-b1bd-3a5d94e356c/

• earley[.]hostingclouddocs[.]com/luh0G/

• voicemailreceived[.]surge[.]sh/

• a5nip2p6bz[.]loclx[.]io/login[.]html

• celeberatewwithus[.]de/johs/invite/Yahoo[.]html

• page[.]sign-in[.]attack-securecurrently[.]50-6-205-107[.]cprapid[.]com/security-check/signin/pwd

• zoomnetoffice[.]store

• unblocker[.]chesse[.]ip-ddns.com/

• 7f4f54-cloud[.]webnotifications[.]net/6448adaa99...

Microsoft Credential Harvesting Campaign

Last month, a staff member at a Kentucky organization clicked a spearphishing link:

Hosted on Russian infrastructure, the link content suggests the use of a domain generator algorithm used to rapidly spin up and down similar websites.

In the following days, six additional staff members at another organization in Kentucky fell victim to a similar phishing attack:

This attack included ‘kyschools’ in the domain to give credence to school-affiliated users in the region. An additional instance was observed when a different staff member at the same organization clicked: earley[.]hostingclouddocs[.]com/luh0G/. The reference to a cloud-based file service suggests the attack likely leveraged a fake document-sharing prompt to steal credentials.

Instagram Phishing Attacks

A staff member at a Georgia organization clicked a phishing link impersonating Instagram:

This attack was likely clicked in Instagram’s native messenger app, falling entirely outside the scope of traditional security architecture.

Similar cases targeting personal accounts were observed targeting Yahoo and Google accounts on work devices.

Yahoo Credential Harvesting

A staff member at a Kentucky organization clicked a spearphishing link mimicking a Yahoo login page:

Even five days later, the attack remained undetected by VirusTotal. Additionally, on the same day, another phishing link targeting Yahoo users was clicked:

Google Account Phishing

A phishing attack targeting Google accounts was clicked by a staff member in Kentucky:

The URL structure suggests an attempt to mimic a security alert or cloud-based notification, increasing the likelihood of engagement.

Mitigations

• Block the specified domains on corporate firewalls and endpoint security solutions.

• Increase awareness on credential phishing targeting personal applications like Instagram, Google, and Yahoo logins.

• Enforce multi-factor authentication (MFA) on all corporate logins to reduce the risk of credential compromise.