Multi-Stage Phishing Campaigns Targeting Microsoft 365 and Cloud Services
A sophisticated, multi-stage phishing campaign has been observed targeting organizations globally to steal Microsoft 365 credentials. The operation, monitored since early November 2025, employs advanced evasion techniques such as nested PDFs, use of legitimate content delivery networks, and mouse tracking to bypass secure email gateways and multi-factor authentication. The final credential harvesting site is engineered to block security tools and analysts, and leverages legitimate Microsoft infrastructure to circumvent MFA, granting attackers immediate access to compromised accounts. These attacks highlight the increasing complexity of phishing operations and their ability to evade traditional security controls.
In parallel, threat actors are exploiting free cloud hosting platforms like Cloudflare Pages to host convincing phishing portals impersonating banking and healthcare providers. These sites not only harvest credentials but also collect additional security information, such as answers to secret questions, and exfiltrate data via Telegram bots to evade detection. Attackers use compromised legitimate domains as redirectors, increasing the likelihood of bypassing spam filters and making takedown efforts more challenging. The convergence of advanced phishing techniques and abuse of trusted cloud services underscores the need for enhanced detection and response strategies for organizations relying on Microsoft 365 and similar platforms.
Timeline
Dec 8, 2025
Investigation documents phishing kits on Cloudflare Pages and Telegram
An investigation uncovered a phishing operation using Cloudflare Pages subdomains and compromised legitimate websites as redirectors to host convincing banking and insurance or healthcare login portals. The phishing kit collected credentials, security-question answers, and related data, then sent the stolen information directly to Telegram bots instead of a traditional command-and-control server.
Nov 1, 2025
Multi-stage phishing campaign begins targeting Microsoft 365 users
A sophisticated phishing campaign began targeting Microsoft 365 users globally in November 2025. The operation used nested PDFs, legitimate CDN services, mouse tracking, and analyst-blocking techniques to evade secure email gateways and harvest credentials.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Multi-Stage Phishing Campaigns Bypassing MFA to Steal Microsoft 365 Credentials
A wave of sophisticated phishing campaigns is targeting organizations globally to steal Microsoft 365 credentials by bypassing traditional email security gateways and multi-factor authentication (MFA) protections. Attackers are employing advanced techniques such as multi-stage payload delivery using nested PDF attachments, legitimate content delivery networks, and mouse tracking to evade detection. Once victims interact with these emails and enter their credentials on a credential harvesting site, attackers leverage legitimate Microsoft infrastructure to bypass MFA and gain immediate access to the victim’s Microsoft 365 environment. These campaigns are engineered to filter out security analysts and block standard security tools, making detection and response more challenging. In parallel, threat actors are increasingly using attacker-in-the-middle toolkits like Evilginx and hybrid phishing-as-a-service kits such as Salty2FA and Tycoon2FA to capture both user credentials and session cookies. By stealing session cookies, attackers can impersonate users and maintain access without triggering additional MFA prompts, even after successful authentication. The blending of different phishing kits into hybrid strains is making detection harder, as traditional security rules tuned to individual kits are now being evaded. Security researchers warn that static indicators are no longer sufficient, and behavioral analysis is required to spot these evolving threats.
1 months ago
Adversary-in-the-Middle Phishing Attacks Targeting Microsoft 365
Threat actors are increasingly leveraging adversary-in-the-middle (AitM) phishing techniques to compromise Microsoft 365 accounts. In a recent incident, attackers used a phishing email with a malicious link that mimicked the Microsoft login page, capturing both credentials and session cookies to bypass multi-factor authentication (MFA). The attackers expanded their access through password spraying, brute force attacks, and the use of VPNs and residential proxies to evade detection. Persistence was achieved by manipulating inbox rules and abusing OAuth permissions via legitimate email clients, allowing continued access to compromised accounts. Traditional detection methods, such as URL reputation and static fingerprinting, are proving ineffective against these sophisticated AitM phishing kits, which proxy the real Microsoft authentication flow and associated assets. In response, security researchers have developed new defensive measures, including browser extensions that detect AitM attacks at the point of interaction by monitoring for unexpected HTTP referers and injecting visible warnings. However, as attackers adapt and proxy more elements of the authentication process, even these advanced defenses face challenges, highlighting the need for continuous innovation in anti-phishing strategies.
1 months ago
Quantum Route Redirect Phishing Platform Targets Microsoft 365 Users
A new phishing-as-a-service (PhaaS) platform called **Quantum Route Redirect** has emerged, enabling cybercriminals to launch sophisticated credential harvesting campaigns against Microsoft 365 users worldwide. The platform dramatically lowers the technical barrier for attackers by providing a pre-configured phishing kit and a network of around 1,000 domains, allowing even less skilled threat actors to conduct large-scale phishing operations with minimal effort. Attackers use a variety of email lures, including DocuSign impersonations, payroll notifications, payment alerts, and missed voicemail messages, to direct victims to credential harvesting pages managed by the Quantum Route Redirect system. The phishing kit automates the entire attack chain, from rerouting traffic to malicious domains to filtering out automated security tools using built-in bot detection. URLs used in these campaigns follow a consistent pattern and are often hosted on parked or compromised legitimate domains, increasing the likelihood of bypassing security controls and deceiving targets. The majority of observed attacks have targeted users in the United States, but incidents have been recorded in over 90 countries. The platform's dashboard provides real-time statistics to operators, further streamlining the management and effectiveness of global phishing campaigns.
1 months ago