PHISH ALERT: Press Play for Compromise — Voicemail Phishing Kit Bundles SSO Hijacking, Credential Theft, and RMM Delivery KnowBe4 ThreatLabs is tracking an advanced voicemail-themed campaign utilizing local HTML attachments to hijack Microsoft 365 sessions via silent OAuth Single Sign-On abuse. If no active session exists, it cascades into multi-payload credential harvesting and device takeover. Here is how this multi-layered operation functions: The Hook: Emails arrive spoofing a legitimate Business | Masergy, displaying "New Voice Message" or "Missed Call" notices with fake Voice_Message.mp3 metadata to trick the victim. The actual payload is an embedded HTML attachment. Silent SSO Hijacking: Opening the attachment loads a local voicemail player UI with a prominent "play" button. Clicking this triggers a rogue Microsoft OAuth 2.0 request using the prompt=none parameter. This silently abuses active M365 browser sessions to steal authentication tokens without any user interaction. The Multi-Payload Fallback: If an active session isn't found, an Azure AD error reroutes the victim to an credential harvester hosted on a compromised Turkish domain (guzeldagenerji[.]com[.]tr). This server simultaneously hosts 100 active campaign directories: Credential Harvesters: Fake "voice mail Access" portals mimicking DocuSign/Outlook and Google logins. OAuth Device Code Phishing: Interfaces generating device codes to hijack authorization flows. RMM Deployment: Prompting victims to download executable installers under the guise of secure document viewers. This infrastructure highlights a massive, highly consolidated Phishing-as-a-Service footprint deploying concurrent attack types from a single nexus. IOCs TO MONITOR AND BLOCK: Primary phishing domain: guzeldagenerji[.]com[.]tr Many-potential-customers-hesitate[.]onrender[.]com M365 Credential Harvesters: office-document-sign[.]tammy-e82[.]workers[.]dev office-docusign-net[.]tammy-e82[.]workers[.]dev log[.]evergreenhostingoptions[.]de/UO95w/ login[.]av7551[.]com/common/oauth2/v2.0/authorize login[.]kgbpkh6syhgxptsgwkqc93ushhphua422xb7ma[.]2bd[.]net admhr[.]execsuccessmetrics[.]de/HOngH/ valid[.]boostedengagement[.]de/LFmtS/ vvu[.]digitaladvantagehub[.]de/xiMwR gsbauwu1hsa[.]legalaro[.]com/nmasn/ Pages-sessions-imp0rtant-docs040934bfdn832nsd3q2-o1io[.]w-jq6bm6[.]workers[.]dev Google Credential Harvesters: accounts[.]tnfirm[.]icu accounts[.]gxcwfe[.]icu accounts[.]knuczx[.]icu accounts[.]zachnt[.]icu Accounts[.]odtdrv[.]icu Device Code Phishing: office-document-sign[.]tammy-e82[.]workers[.]dev/app office-docusign-net[.]tammy-e82[.]workers[.]dev/app fast-cedar-471[.]allcompredirectportalshare[.]workers[.]dev brave-pine-189[.]allcompredirectportalshare[.]workers[.]dev www[.]realdecorralejo[.]com/cgi-admin/signer.html RMM / Malware Delivery: pmlee[.]com/verify.php sparkaxis[.]org/deployment/ wylderhotels[.]sparkaxis[.]org/personaljflannigan/ Cloudflare Workers Redirectors / Email Collectors: 2dzl-umko-ou34[.]tom-macsystemsltd-co-uk-s-account[.]workers[.]dev/?email= rx03-qe8k-40xp[.]tom-macsystemsltd-co-uk-s-account[.]workers[.]dev/ g20j-c9rv-o3yh[.]iris-investore-net-s-account[.]workers[.]dev/?email= p9rm-o0k9-snrf[.]jcampbell-89d[.]workers[.]dev/?email= nhgo-2xnx-cw12[.]jennifer-jencrosslaw-com-s-account[.]workers[.]dev/ fast-cedar-471[.]allcompredirectportalshare[.]workers[.]dev Brave-pine-189[.]allcompredirectportalshare[.]workers[.]dev Additional Redirect / Tracking URLs: ewo7pdwau5[.]memorablemark[.]de/l/iHZ_59v2_0U yxmh7yx50d[.]easytecdigital[.]de/l/oMKJndXeSMA vht0p9fsyg[.]balanceandperformance[.]de/l/JRnOjuZa8Ts ks39dmitgq[.]scalableenterprise[.]de/l/ycpEAGzCE80 roty0ray48[.]scalableenterprise[.]de/l/nqdASy8mLeo alert[.]nortirock[.]co[.]uk/678delight/ qc7kz3[.]elevatecore[.]it[.]com/i36lx43/ greotipu[.]com[.]es/pee/livepanel dennyslistens[.]autos/rs3mb9p Dyjpaw1vb1[.]star-lakeq[.]com Other Phishing Domains: tiltectfqhnologies[.]vu sqlbatimcorporation[.]vu solutionntechtheepiscopalcenterforit[.]snnfhawmedia[.]vu globalagencerevenucanadasolutions[.]aquimisasnmll[.]vu safemanagementatforiawdfield[.]vu cloudbradshawautomotivesystems[.]finelinesettpmxingsinc[.]vu cloudadventurecredituniongroup[.]globahonlcarg[.]vu rijitechsolutionjtcs[.]vu servicedptechnologypteltdsolutions[.]sudmanagementhztgroupe[.]vu Solutionmarsincorporatedtowersperrin[.]credaroii[.]cfd #CyberSecurity #Phishing #M365 #OAuth #KnowBe4 #ThreatIntel #HumanRisk #IOC

Low detection CastleLoader signed "SOFTWARE ANALYTICS LIMITED": f50f825a64cb9c0435bc11db9225445687f8d1a44dba972a50ffa4dff600e72f They changed from EXE to MSI C2: arqeluno[.]com

#Kimsuky #DPRK🇰🇵 login[.]malls[.]o-r[.]kr sign[.]mail-log[.]r-e[.]kr sign[.]mail-log[.]kro[.]kr 216[.]107[.]137[.]250 AS212238 Datacamp Limited 🇺🇸

PHISH ALERT: How Attackers Are Abusing Google Infrastructure for Phishing KnowBe4 ThreatLabs is tracking an active phishing campaign that weaponizes a nested, triple-chain of Google services —Google Meet, Google Search Redirect, and Google Ad Service—to completely blindside Secure Email Gateways. By routing traffic entirely through trusted infrastructure, attackers deliver victims to malicious phishing pages undetected. The Hook: Attackers exploit a blind spot in modern email security by layering multiple trusted Google domains within a single link. Because gateway inspection engines only see authorized infrastructure, reputation checks pass cleanly. The true malicious destination is only resolved at click-time by a human user. The Attack Chain: The Bait: High-urgency corporate lures are weaponized, including FedEx updates, DocuSign/AutoSign requests, M365 password expiry alerts, fake remittances, and malicious QR codes. The Nested Delivery Matrix: Attackers stack three trusted Google domains into a single nested URL to bypass Secure Email Gateways * SafeLinks → meet[.]google[.]com/linkredirect → google[.]com/url?q= → adservice[.]google[.]com[.]ph/ddm/clk → [attacker domain] The Evade: Gateway scanners check the outer hops, validate the legitimate Google domain reputations, and allow the email through—leaving the final destination completely uninspected until click-time. The Fork: Upon clicking, the campaign splits based on the lure context: Credential Harvesting: Captures credentials on a pixel-perfect M365 sign-in page, pre-populated with the victim's email. Device Code Phishing: Leads to a fake OneDrive "Shared Document" displaying a pre-generated Microsoft device code designed to hijack the corporate session. IOCs to Monitor: vazquezfleytas[.]com Link-form-unj9[.]p-sm7rw6ru[.]workers[.]dev edificiocristal[.]pt odahlzr5lm[.]reliabilityinoperations[.]de cloudbemismanufacturingcompanygroup[.]rydezyhrsysteminc[.]vu servicetriumphgroupsimplyappraisals[.]spectrhwqumbrands[.]vu unitedtechnofzmlogies[.]vu velvorra[.]com cloudgillettebrandberkshirehathaway[.]rtzcoekdrporation[.]vu furqanmustafa[.]com staiwooje[.]app data-cloud-ofe8[.]p-8yejy42o[.]workers[.]dev #ThreatIntel #Phishing #GoogleAbuse #M365 #DeviceCodePhishing #InfoSec #Knowbe4 #IOC

Fake Microsoft Teams, "MTSetup_v15.3.7191.msi" signed by "Tryphena Lewis" 18c5b7a39be2f4a4b2fd45f0f273874f5efcc8751d4e592e5f2bcf6dbf781277 FUD-lite Uploaded to MalwareBazaar here https://bazaar.abuse[.]ch/sample/18c5b7a39be2f4a4b2fd45f0f273874f5efcc8751d4e592e5f2bcf6dbf781277

New YAPA post: blog.lukeacha.com/2026/03/ya… In addition I was able to pivot to another interesting sample zipsphere, which might be a worth look.

A fake Zoom meeting site mimics a video call, then uses an “Update Available” countdown to automatically download a malicious installer onto Windows machines—no permission required. bit.ly/4qXyLp7

@Namecheap fake @Zoom Website spread malware https://uswebzoomus.]com/zoom https://uswebzoomus.]com/zoom/process.php?download=1 👇 virustotal.com/gui/file/644e… 👇 bazaar.abuse.ch/sample/c73b7… 👇 app.any.run/tasks/88ca5549-8…

Anyone have a good way to monitor new @GoogleAds for a specific domain?

GalacticPDF Analysis: blog.lukeacha.com/2026/02/ga…

🚨Tax Season is Phishing Season: How IRS Lures are Dropping RMM Backdoors In our last report blog.knowbe4.com/the-skeleto… we highlighted how threat actors weaponized Social Security notifications to deploy RMM tools. Now, they’ve pivoted to the next seasonal hook: IRS and Tax Document Verification. It’s a classic example of how social engineering adapts to the calendar. When the lure matches the season, the "Human Risk" sky-rockets. The "Skeleton Key" Tactic Attackers are shifting from custom malware to legitimate Remote Monitoring and Management (RMM) tools. By exploiting the urgency of tax season, they trick users into "verifying" documents, which instead installs a persistent backdoor using signed, trusted software. What we’re seeing: The Hook: Emails masquerading as IRS tax refund alerts or document verification requests. The Payload: Deployment of RMM tools like ScreenConnect, Simplehelp remote access. The Goal: Establishing "low-friction" remote access that blends into normal IT traffic. 🛡️ IOCs TO MONITOR AND BLOCK: hxxps://zippyokwidth[.]mypi[.]co/ woodcareexpert[.]com hxxps://clickme.thryv[.]com/ hxxps://www[.]zikomarket[.]com/bootstrapp/54321[.]html lrs.gov-information959439494242us[.]com lrs.gov-information[.]app Digitalseosociety[.]com coxomail[.]com Email Subject Pattern: Your tax document is ready-Doc ID: xxxx New Mandatory Policy: Immediate Upload of Employee W-2 Forms xxx #CyberSecurity #Phishing #ThreatIntelligence #KnowBe4 #HumanRisk #TaxScams #IRS #RMM

kingsearchresults..... hmmmmm

also has same URI structures and talks to pdfappup[.]com and starrtlightspirit[.]com

Rust based, the embedded PE file is pdfium.dll. app.any.run/tasks/b71ca08e-9… HTTP comms to hopinpoint[.]com. Some custom encoded traffic here that I have not played with yet.

Thanks! Certificate has been reported. In regards to funny certificates, my favorite signer has been "Just Add Water Italian Pizza Bread Pasta Mix Ltd." ea18b965ab43d927a1d690f395f4e2b55a15db9744f68454a86b5508b302c404 The payload was a fake Adobe installer.