Trusted Design

PHISH ALERT: Press Play for Compromise — Voicemail Phishing Kit Bundles SSO Hijacking, Credential Theft, and RMM Delivery

概要

An advanced voicemail-themed phishing campaign is utilizing HTML attachments to hijack Microsoft 365 sessions through silent OAuth exploitation. Emails arrive spoofing legitimate businesses with fake voicemail notifications containing embedded HTML files. When victims click the play button, the kit triggers a rogue OAuth 2.0 request using the prompt=none parameter to steal authentication tokens from active M365 sessions. If no active session exists, victims are redirected to credential harvesters hosted on compromised infrastructure, specifically a Turkish domain hosting over 100 active campaign directories. The operation includes multiple attack vectors: fake login portals mimicking DocuSign, Outlook and Google, OAuth device code phishing interfaces, and RMM deployment disguised as document viewers. This represents a sophisticated Phishing-as-a-Service operation deploying concurrent attack types from consolidated infrastructure.

Created: 2026-06-10

Indicators

• hostname - login.av7551.com -
• hostname - accounts.odtdrv.icu -
• domain - safemanagementatforiawdfield.vu -
• URL - http://pmlee.com/verify.php -
• hostname - dyjpaw1vb1.star-lakeq.com -
• URL - http://ks39dmitgq.scalableenterprise.de/l/ycpEAGzCE80 -
• hostname - ewo7pdwau5.memorablemark.de -
• URL - http://vht0p9fsyg.balanceandperformance.de/l/JRnOjuZa8Ts -
• domain - dennyslistens.autos -
• domain - pmlee.com -
• domain - rijitechsolutionjtcs.vu -
• hostname - accounts.zachnt.icu -
• hostname - valid.boostedengagement.de -
• URL - http://dennyslistens.autos/rs3mb9p -
• URL - http://sparkaxis.org/deployment/ -
• domain - greotipu.com.es -
• domain - tiltectfqhnologies.vu -
• hostname - solutionmarsincorporatedtowersperrin.credaroii.cfd -
• URL - http://log.evergreenhostingoptions.de/UO95w/ -
• hostname - yxmh7yx50d.easytecdigital.de -
• hostname - servicedptechnologypteltdsolutions.sudmanagementhztgroupe.vu -
• hostname - www.realdecorralejo.com -
• hostname - cloudadventurecredituniongroup.globahonlcarg.vu -
• URL - http://valid.boostedengagement.de/LFmtS/ -
• hostname - vht0p9fsyg.balanceandperformance.de -
• URL - http://wylderhotels.sparkaxis.org/personaljflannigan/ -
• URL - http://roty0ray48.scalableenterprise.de/l/nqdASy8mLeo -
• hostname - roty0ray48.scalableenterprise.de -
• hostname - accounts.knuczx.icu -
• hostname - accounts.gxcwfe.icu -
• hostname - solutionntechtheepiscopalcenterforit.snnfhawmedia.vu -
• hostname - vvu.digitaladvantagehub.de -
• URL - http://admhr.execsuccessmetrics.de/HOngH/ -
• hostname - globalagencerevenucanadasolutions.aquimisasnmll.vu -
• URL - http://yxmh7yx50d.easytecdigital.de/l/oMKJndXeSMA -
• URL - http://www.realdecorralejo.com/cgi-admin/signer.html -
• hostname - admhr.execsuccessmetrics.de -
• URL - http://login.av7551.com/common/oauth2/v2.0/authorize -
• URL - http://ewo7pdwau5.memorablemark.de/l/iHZ_59v2_0U -
• hostname - ks39dmitgq.scalableenterprise.de -
• hostname - accounts.tnfirm.icu -
• domain - sparkaxis.org -
• hostname - gsbauwu1hsa.legalaro.com -
• hostname - wylderhotels.sparkaxis.org -
• hostname - alert.nortirock.co.uk -
• hostname - login.kgbpkh6syhgxptsgwkqc93ushhphua422xb7ma.2bd.net -
• domain - sqlbatimcorporation.vu -
• URL - http://greotipu.com.es/pee/livepanel -
• URL - http://alert.nortirock.co.uk/678delight/ -
• hostname - log.evergreenhostingoptions.de -
• hostname - cloudbradshawautomotivesystems.finelinesettpmxingsinc.vu -
• URL - http://vvu.digitaladvantagehub.de/xiMwR -
• URL - http://gsbauwu1hsa.legalaro.com/nmasn/ -

類似Pulses

類似するPulseは見つかりませんでした。

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る