Image 1 — Sneaky 2FA campaign using trusted sender abuse, tenant-branded M365 pages, and live Entra credential replay
Image 2 — Sneaky 2FA campaign using trusted sender abuse, tenant-branded M365 pages, and live Entra credential replay
Image 3 — Sneaky 2FA campaign using trusted sender abuse, tenant-branded M365 pages, and live Entra credential replay
Image 4 — Sneaky 2FA campaign using trusted sender abuse, tenant-branded M365 pages, and live Entra credential replay
▲ 11 r/EmailSecurity+1 crossposts

Sneaky 2FA campaign using trusted sender abuse, tenant-branded M365 pages, and live Entra credential replay

Spent time researching a Sneaky 2FA-style campaign that was interesting because the email delivery and the phishing kit both showed meaningful evolution.

The initial message was not sent from a random throwaway account. It came through a compromised trusted SaaS sender account and targeted enterprise IT users. The lure was a Microsoft sign-in activity alert, but it was placed inside a business-thread chain, which made the message look more like part of an existing operational conversation than a standalone phishing email.

The web flow was also more interesting than a basic Microsoft credential clone. From the samples I reversed, the kit supported:

  • identity-check gating before exposing the Microsoft page
  • session-mutated routes, loader names, validation paths, and tokens
  • tenant-branded Microsoft 365 rendering using Microsoft tenant branding assets
  • signed resource URLs with hashed IP and user-agent values
  • password collection
  • verification code collection
  • SMS code collection
  • Microsoft Authenticator approval and number matching flows
  • final redirect back to Outlook

The strongest evidence came from controlled testing with non-valid credentials. After submitting them to the phishing page, Microsoft Entra ID recorded near-real-time OfficeHome sign-in attempts from external infrastructure. The attempts failed with error 50126, which confirms the credentials were replayed against Microsoft rather than only stored by the page.

The observed asset set, MFA workflow, href[.]li decoy behavior, and Sneaky/WikiKit-style page structure make Sneaky 2FA a strong match for this case.

u/ZeroBEC — 5 days ago
▲ 6 r/EmailSecurity+1 crossposts

Notes from reversing a CodeStorm M365 phishing flow

I spent some time reversing a CodeStorm Microsoft 365 phishing flow that looked like a basic voicemail lure at first, but the deeper chain was more interesting.

The visible email was short:

missed call
date received
duration
reference number
open voicemail portal

Nothing too special on the surface.

The strange part was the full message body. Far below the visible lure, after a lot of whitespace, there was a full unrelated historical email thread with reply headers, signatures, disclaimers, addresses, and phone numbers.

I saw the same buried thread reused across unrelated victim environments.

That feels intentional. To the user, it is a short voicemail email. To a filter, it is a much longer business-looking message. That can change things like URL-to-text ratio, body length scoring, reply-chain heuristics, keyword density, and normal-business-language signals.

The rough flow I observed:

email lure
→ trusted redirectors
→ adservice hops
→ randomized landing domain
→ Cloudflare Turnstile
→ anti-analysis JavaScript
→ second-stage JavaScript
→ POST /google.php

The landing pages accepted the victim identity in multiple formats:

#<email>
?e=<email>
#?<random_param>=<base64_email>

The first-stage JavaScript included a few analyst-friction checks:

if (
  navigator.webdriver ||
  window.callPhantom ||
  window._phantom ||
  navigator.userAgent.includes("Burp")
) {
  window.location = "about:blank";
}

It also blocked common DevTools shortcuts, right-click, and used a debugger timing trap. If debugging was detected, it redirected to what looked like a legitimate Outlook encrypted-message URL.

The second stage used a backend controller pattern:

var file = "<base64 encoded URL>";
const controller = atob(file);

// decoded to:
// https://<backend-domain>/google.php

The backend actions I observed included:

do=check
do=login
do=verify
checkVerify

do=check appeared to perform Microsoft identity discovery. In controlled testing, managed M365 users, nonexistent users, and federated tenants received different responses.

Examples of the behavior:

managed M365 existing user
→ status=success
→ type=office
→ federationLogin=""
→ canary returned

managed M365 nonexistent user
→ status=error
→ "We couldn't find an account with that username. Try another account."

federated M365 tenant
→ status=success
→ federationLogin=<tenant federation route>
→ branding returned

provider-labeled federation example
→ type=godaddy
→ federationLogin=sso.godaddy.com/?domain=...&realm=pass&app=o365...

I would not treat GoDaddy as a separate authentication category. It is still a federated M365 path. The interesting part is that the backend can label some provider-backed federation routes.

For do=login, I only used fake credentials against a controlled tenant. The backend returned a Microsoft-style error:

{"status":"error","message":"Your account or password is incorrect"}

Immediately after, Entra sign-in logs showed failed OfficeHome sign-ins for the same account:

Application: OfficeHome
Client app: Browser
Status: Failure
Error: 50126
Failure reason: invalid username or password
Authentication requirement: single-factor authentication
Source IPs: external IPs

So this did not behave like a simple credential collection form. It attempted to validate or replay the submitted credentials against Microsoft.

I also saw the same /google.php controller model across rotating infrastructure. The visible frontend domains changed, but the protocol stayed consistent:

victim identity in URL
→ POST /google.php
→ do=check
→ do=login
→ do=verify / checkVerify

Static strings in the second-stage JavaScript showed support for multiple MFA-related paths, including authenticator app, OTP, SMS, phone call, and Hotmail-style recovery/OTP flows.

Some detection ideas from this analysis:

- short visible lure + very long unrelated buried thread
- voicemail-themed M365 lure with organization-specific subject
- self-addressed sender/recipient pattern
- Google redirector → adservice hop → S3 or randomized landing
- victim identity carried as email or base64 email in URL
- Turnstile gate before content
- anti-analysis checks for webdriver, Phantom, Burp, DevTools shortcuts
- browser POST to cross-site /google.php
- Entra OfficeHome failures with 50126 from external replay IPs after a phishing click

Main takeaway: the lure was basic, but the backend was not. The flow behaved like a tenant-aware M365 authentication relay, with identity discovery before credential replay.

u/ZeroBEC — 14 days ago
▲ 5 r/EmailSecurity+1 crossposts

Interesting Microsoft 365 AiTM phishing chain hidden behind a PDF invoice lure

I looked into an interesting Microsoft 365 phishing chain this week.

At first glance, it looked like a basic PDF invoice lure. The email came from a real GMX webmail account, so SPF, DKIM, and DMARC passed for the sender domain. The suspicious part was the display name. Each targeted user received a different fake sender identity, and the same randomized name was also placed inside the email body.

The PDF was simple. It showed a “document can’t be opened, view online” style message, but the PDF itself was generated using Headless Chrome / Skia.

Email

The redirect chain was the interesting part:

PDF link
-> rb[.]gy shortener
-> SendGrid click tracking
-> jz[.]rs redirect
-> Cloudflare Pages Microsoft lookalike
-> Microsoft 365 AiTM-style login page

Attached PDF

micros0ft redirect

The final page loaded real Microsoft CDN assets and used Microsoft-looking OAuth paths, but the login flow was served from a non-Microsoft domain. It also validated whether the username existed before showing the password screen.

The page included custom JavaScript that:

  • pulled the user email from the URL fragment
  • auto-filled the Microsoft username field
  • clicked Next
  • added a “verify your password” message
  • auto-clicked “Yes” on the stay-signed-in prompt
  • polled the backend for a final redirect

AiTM

So this was not just a fake login page. It behaved more like a session-oriented Microsoft 365 AiTM phishing kit built to reduce friction and possibly capture more than just the password.

Some IOCs from the chain:

vervorsvemi1986@gmx[.]de
rb[.]gy
jz[.]rs
rnicros0ft-auth-serv[.]pages[.]dev
prsecauth[.]qzz[.]io
login[.]prsecauth[.]qzz[.]io
loginii[.]prsecauth[.]qzz[.]io
account[.]prsecauth[.]qzz[.]io
u106844120[.]ct[.]sendgrid[.]net
client_id=4765445b-32c6-49b0-83e6-1d93765276ca
/common/oauth2/v2.0/authorize
/common/GetCredentialType
/common/login
/s/<64-hex>.js

Main takeaway: authentication passing on the email did not make it safe. The useful signals were the display-name mismatch, PDF redirect behavior, recipient-specific URL fragments, trusted redirect infrastructure being used in the middle, and Microsoft login endpoints being served from a non-Microsoft domain.

reddit.com
u/ZeroBEC — 1 month ago
▲ 8 r/EmailSecurity+2 crossposts

Phishing: Samsung sender, Costco lure: phishing chain stealing Costco creds, credit cards, and SSN identity

Investigated another active phishing case, sharing in case anyone is seeing similar retail/order-hold lures.

This one is interesting because the sender identity and the lure brand don’t match.

The email presents as coming from Samsung billing/admin:

"Billing Administration" <noreply@samsung.com>

Subject:

Your recent order cannot ship without confirmation

But the email body is fully Costco-themed. It claims a Costco warehouse order is on hold and asks the user to confirm the order before it can ship.

https://preview.redd.it/09chjg3kq65h1.png?width=764&format=png&auto=webp&s=870b6967228770f36df4c0c810ddfbb238914bde

The clever part is the chain.

The first-stage link goes through:

sg210[.]com

From there, the victim is redirected into a fake Costco account flow hosted under an sslip[.]io hostname:

myaccount.login.membership.216.194.167.42.sslip[.]io

https://preview.redd.it/frexz0moq65h1.png?width=1696&format=png&auto=webp&s=22c13d4a6627effa3b8120c470148d45975eba65

That sslip[.]io detail is the most interesting part to me. sslip[.]io is a legitimate embedded-IP DNS service and has very strong reputation as a parent domain. The attacker used that reputation to create a hostname that looks like a branded account portal while embedding the destination IP directly into the domain.

So instead of using a low-reputation random phishing domain, the kit rides on a highly trusted infrastructure pattern:

<fake-brand-subdomain>.<embedded-ip>.sslip[.]io

The flow after that is pretty aggressive:

  1. Fake Costco login page
    • email
    • password
  2. Fake identity verification page
    • membership number
    • DOB
    • phone
    • billing address
    • SSN
  3. Fake payment verification page
    • cardholder name
    • card number
    • expiration
    • CVV
  4. Redirect to the real Costco site

The final redirect is a predictable touch from the attacker’s side. The user ends up on the real Costco website, so the interaction feels “finished” instead of obviously broken.

A few IOCs / pivots:

Subject:
Your recent order cannot ship without confirmation

Visible sender:
"Billing Administration" <noreply@ samsung[.]com>

Initial link domain:
sg210[.]com

Observed path:
hxxp://sg210[.]com/api/9my3qcqh6h/

Phishing hostname:
myaccount.login.membership.216.194.167[.]42.sslip[.]io

Embedded IP:
216[.]194[.]167[.]42

Observed fake paths:
/login
/account/billing-address
/account/payment-method

Lure text:
ORDER HOLD
Your warehouse order is on hold
Confirm My Order
Membership Help

The detection angle here is less about any single IOC and more about the relationship between sender, brand, destination, and data requested.

A Spoofed Samsung sender delivering Costco content should already be odd.

A Costco-themed order email going to a non-Costco domain should be higher confidence.

A retail verification flow asking for SSN + CVV should be treated as full identity/payment theft, not just credential phishing.

https://preview.redd.it/emdqz186r65h1.png?width=1878&format=png&auto=webp&s=8419b4928f4b27e19d828f07ccf4ae59382b5804

Full writeup with screenshots, the phishing flow, and more IOCs is on the company blog. Not posting the link inline to keep the post technical-first. I’ll drop it in a comment if anyone wants it.

Disclosure: I work at ZeroBEC.

reddit.com
u/ZeroBEC — 1 month ago
▲ 5 r/EmailSecurity+1 crossposts

Anyone Seen This Illuminati Facebook Livestream Scam Before?

Investigating an ongoing “Illuminati recruitment” scam campaign sent from what appears to be a compromised government mailbox.

We observed bulk emails originating from a legitimate rajasthan.gov[.]in infrastructure with SPF/DKIM/DMARC all passing, but the content promotes Illuminati membership, wealth promises, and replies to a Tutamail address.

The campaign references this Facebook livestream URL:

https://www.facebook[.]com/watch/live/?ref=watch_permalink&v=541951473138269

The page/video currently appears unavailable.

Questions:

  • Has anyone archived this livestream/page?
  • Has anyone seen this Facebook account before?
  • Any OSINT tying this campaign to known scam groups?
  • Any cached copies, screenshots, or actor attribution?

Notable IOCs:

  • Reply-To: illuminattitemplemembers @tutamail[.]com
  • Subject: "benefits such as cars, houses and $1,000,000"

This appears to be authenticated infrastructure abuse rather than traditional spoofing.

scam email

reddit.com
u/ZeroBEC — 1 month ago

Anyone Seen This Illuminati Facebook Livestream Scam Before?

Investigating an ongoing “Illuminati recruitment” scam campaign sent from what appears to be a compromised government mailbox.

We observed bulk emails originating from a legitimate rajasthan.gov[.]in infrastructure with SPF/DKIM/DMARC all passing, but the content promotes Illuminati membership, wealth promises, and replies to a Tutamail address.

The campaign references this Facebook livestream URL:

https://www.facebook[.]com/watch/live/?ref=watch_permalink&v=541951473138269

The page/video currently appears unavailable.

Questions:

  • Has anyone archived this livestream/page?
  • Has anyone seen this Facebook account before?
  • Any OSINT tying this campaign to known scam groups?
  • Any cached copies, screenshots, or actor attribution?

Notable IOCs:

  • Reply-To: illuminattitemplemembers @tutamail[.]com
  • Subject: "benefits such as cars, houses and $1,000,000"

This appears to be authenticated infrastructure abuse rather than traditional spoofing.

scam email

reddit.com
u/ZeroBEC — 1 month ago

Banned by Anthropic's automated system 70 minutes after a billing failure - not a policy violation. Has this happened to anyone else?

Long-time Claude subscriber here, never been suspended or warned before. What just happened to me is either a serious bug or a deeply broken automated system - and I want to warn others.

Here's the exact timeline:

4:49 PM - I get this email from Anthropic: "$100.00 payment to Anthropic, PBC was unsuccessful."

4:49 PM - Immediately followed by: "Your subscription access has been paused. Your most recent payment was unsuccessful."

5:59 PM - 70 minutes later, out of nowhere: "Our automated systems detected a high volume of signals associated with your account which violate our Usage Policy... we have revoked your access to Claude."

That's it. Billing failure -> banned. No warning, no human outreach, no explanation of what was actually flagged.

Context: A day or two earlier I had downgraded my plan from $200 to the Max 5x $100 plan, knowing my billing cycle was ending. The payment failure appears to be a side effect of that plan change. I did nothing wrong on the platform.

More context: I'm a professional penetration tester and cybersecurity researcher, a Black Hat and DEF CON speaker, and Microsoft's Most Valuable Researcher (MVR) for 2025. If any content was flagged, it was security research - completely legitimate professional work.

The pattern is clear: their automated system seems to be misclassifying billing anomalies as policy violations and banning accounts with zero human judgment applied first.

If you're planning to downgrade or change your Claude plan - be very careful. This can apparently happen to anyone.

Has anyone else experienced this? Did the appeal process actually work for you?

reddit.com
u/ZeroBEC — 2 months ago
▲ 10 r/EmailSecurity+1 crossposts

Voicemail quishing campaign with RingCentral/Spectrum branding harvesting M365 creds via AiTM

Wrote up an active case from this week, sharing in case it helps anyone seeing similar voicemail lures.

One of our customers got hit with a quishing email branded as Spectrum Business + RingCentral + Google Voice. The bait is the usual missed-call story, "you have a voicemail about an overdue payment." Nothing remarkable so far.

The clever part is the chain. The malicious link isn't in the email body. It's in a QR code, inside a .docx attachment, inside the email. Three layers deep before anything fires.

Whole thing is designed to push the click off the corporate laptop and onto the user's phone, which is the entire point of quishing as a technique:

Once the user scans, they get a fake "Tap the box to confirm" captcha (kit-style, blocks perimeter sandboxes from following through), then a near-perfect Microsoft login page pre-filled with the victim's email pulled from the URL path. Behind it is an AiTM proxy grabbing the password and the session cookie in real time.

Phishing Email

Attached Docx

Auth Impersonation

Full writeup with the IOCs, the captcha + AiTM screenshots, the docx internals, and some detection ideas is up on the company blog. Not posting the link inline to keep the post technical-first. I'll drop it as a comment for anyone who wants it.

Disclosure: I work at ZeroBEC

reddit.com
u/ZeroBEC — 2 months ago

Voicemail quishing campaign with RingCentral/Spectrum branding harvesting M365 creds via AiTM

Wrote up an active case from this week, sharing in case it helps anyone seeing similar voicemail lures.

One of our customers got hit with a quishing email branded as Spectrum Business + RingCentral + Google Voice. The bait is the usual missed-call story, "you have a voicemail about an overdue payment." Nothing remarkable so far.

The clever part is the chain. The malicious link isn't in the email body. It's in a QR code, inside a .docx attachment, inside the email. Three layers deep before anything fires.

Whole thing is designed to push the click off the corporate laptop and onto the user's phone, which is the entire point of quishing as a technique:

Once the user scans, they get a fake "Tap the box to confirm" captcha (kit-style, blocks perimeter sandboxes from following through), then a near-perfect Microsoft login page pre-filled with the victim's email pulled from the URL path. Behind it is an AiTM proxy grabbing the password and the session cookie in real time.

Phishing email

document

Auth impersonation

Full writeup with the IOCs, the captcha + AiTM screenshots, the docx internals, and some detection ideas is up on the company blog. Not posting the link inline to keep the post technical-first. I'll drop it as a comment for anyone who wants it.

Disclosure: I work at ZeroBEC

reddit.com
u/ZeroBEC — 2 months ago

Active ScreenConnect phishing campaign abusing a legit Czech ESP (SparkPost / jobote.com) - heads up to fellow IR folks

Sharing a quick heads-up from an active IR case in case it helps anyone else triaging similar emails this week.

A customer received a phishing email that looked like a generic Adobe / DocSend "New Secured Document" lure. Standard stuff on the surface, but the interesting parts:

  • Sender: noreply-<random string>@jobote[.]com ("Adobe-Docsend" as display name)
  • "View Document" button links to mailtracking.jobote[.]com/f/a/{token} - which is Jobote's own legitimate tracking/redirect subdomain for their referral product, being abused as a clean-reputation redirector
  • Final payload is a ConnectWise ScreenConnect installer - attacker uses it for hands-on-keyboard access after install
  • Reply-To is literally noreply at yourdomain[.]com - an unfilled template placeholder, which is a strong pivot IOC for hunting other emails from the same kit/operator

Phishing Email

ScreenConnect Download Redirection

​Not making any claim about how the jobote[.]com SparkPost tenant got abused (compromised account, stolen API key, abused customer subaccount, etc.) - that's for SparkPost to investigate. But the abuse pattern matches what we've been seeing more broadly: attackers riding low-reputation but legitimate ESP/tracking infrastructure to bypass URL reputation filtering before dropping a remote-access tool.

Pivots worth hunting on:

  • Reply-To containing yourdomain[.]com (placeholder strings in Reply-To = high signal)
  • X-MSFBL header containing customer_id=107475
  • Any mailtracking.jobote[.]com URLs in inbound mail
  • Apple Mail headers on ESP-injected mail (deliberate misdirection or sloppy operator)
  • Reported to SparkPost abuse and notifying Jobote directly so they can rotate keys / audit.
  • Firewall logs for access to cherylbirch[.]com

Disclosure: I work at ZeroBEC. Happy to drop the full writeup in a comment if anyone wants the headers / IOCs to feed into their own tooling.

reddit.com
u/ZeroBEC — 2 months ago
▲ 4 r/EmailSecurity+1 crossposts

Active ScreenConnect phishing campaign abusing a legit Czech ESP (SparkPost / jobote.com) - heads up to fellow IR folks

Sharing a quick heads-up from an active IR case in case it helps anyone else triaging similar emails this week.

A customer received a phishing email that looked like a generic Adobe / DocSend "New Secured Document" lure. Standard stuff on the surface, but the interesting parts:

  • Sender: noreply-<random string>@jobote.com ("Adobe-Docsend" as display name)
  • "View Document" button links to mailtracking.jobote[.]com/f/a/{token} - which is Jobote's own legitimate tracking/redirect subdomain for their referral product, being abused as a clean-reputation redirector
  • Final payload is a ConnectWise ScreenConnect installer - attacker uses it for hands-on-keyboard access after install
  • Reply-To is literally noreply at yourdomain[.]com - an unfilled template placeholder, which is a strong pivot IOC for hunting other emails from the same kit/operator

Phishing Email

ScreenConnect Download Redirection

​Not making any claim about how the jobote[.]com SparkPost tenant got abused (compromised account, stolen API key, abused customer subaccount, etc.) - that's for SparkPost to investigate. But the abuse pattern matches what we've been seeing more broadly: attackers riding low-reputation but legitimate ESP/tracking infrastructure to bypass URL reputation filtering before dropping a remote-access tool.

Pivots worth hunting on:

  • Reply-To containing yourdomain[.]com (placeholder strings in Reply-To = high signal)
  • X-MSFBL header containing customer_id=107475
  • Any mailtracking.jobote[.]com URLs in inbound mail
  • Apple Mail headers on ESP-injected mail (deliberate misdirection or sloppy operator)
  • Reported to SparkPost abuse and notifying Jobote directly so they can rotate keys / audit.
  • Firewall logs for access to cherylbirch[.]com

Disclosure: I work at ZeroBEC. Happy to drop the full writeup in a comment if anyone wants the headers / IOCs to feed into their own tooling.

reddit.com
u/ZeroBEC — 2 months ago

Active ScreenConnect phishing campaign abusing a legit Czech ESP (SparkPost / jobote.com) - heads up to fellow I

Sharing a quick heads-up from an active IR case in case it helps anyone else triaging similar emails this week.

A customer received a phishing email that looked like a generic Adobe / DocSend "New Secured Document" lure. Standard stuff on the surface, but the interesting parts:

  • Sender: noreply-<random string>@ jobote[.]com ("Adobe-Docsend" as display name)
  • "View Document" button links to mailtracking.jobote[.]com/f/a/{token} - which is Jobote's own legitimate tracking/redirect subdomain for their referral product, being abused as a clean-reputation redirector
  • Final payload is a ConnectWise ScreenConnect installer - attacker uses it for hands-on-keyboard access after install
  • Reply-To is literally noreply@ yourdomain[.]com - an unfilled template placeholder, which is a strong pivot IOC for hunting other emails from the same kit/operator

The Email

Redirection Link to Download ScreenConnect

​Not making any claim about how the jobote.com SparkPost tenant got abused (compromised account, stolen API key, abused customer subaccount, etc.) - that's for SparkPost to investigate. But the abuse pattern matches what we've been seeing more broadly: attackers riding low-reputation but legitimate ESP/tracking infrastructure to bypass URL reputation filtering before dropping a remote-access tool.

Pivots worth hunting on:

  • Reply-To containing yourdomain[.]com (placeholder strings in Reply-To = high signal)
  • X-MSFBL header containing customer_id=
  • Any mailtracking.jobote[.]com URLs in inbound mail
  • Apple Mail headers on ESP-injected mail (deliberate misdirection or sloppy operator)
  • Reported to SparkPost abuse and notifying Jobote directly so they can rotate keys / audit.

Disclosure: I work at ZeroBEC. Happy to drop the full writeup in a comment if anyone wants the headers / IOCs to feed into their own tooling.

reddit.com
u/ZeroBEC — 2 months ago