How a Multi-Stage Phishing Marketing campaign Evades Safety to Steal Microsoft 365 Credentials

Lead Analysts: Jeewan Singh Jalal, Prabhakaran Ravichandhiran and Anand Bodke

Since November 3, 2025, KnowBe4 Risk Labs has been monitoring a extremely refined, multi-stage phishing operation that’s actively focusing on organizations to steal workers’ Microsoft 365 credentials. The marketing campaign has been engineered to bypass conventional electronic mail safety defenses, akin to safe electronic mail gateways (SEGs),  and multi-factor authentication (MFA) instruments.

The marketing campaign accommodates a number of superior technical measures to obfuscate the payload from conventional defenses, together with “nested” PDFs that leverage reputable content material supply community (CDN) companies and mouse monitoring. The top vacation spot— a credential harvesting web site—can also be topic to superior technical measures which can be designed to dam normal safety tooling and filter out safety analysts inspecting the web page.  

Lastly, as soon as the goal enters their Microsoft 365 credentials, the webpage leverages reputable Microsoft servers to bypass MFA and supply cybercriminals with instant entry to the sufferer’s Microsoft 365 atmosphere. 

Phishing Assault Abstract

• Vector and kind: Electronic mail Phishing
• Bypassed SEG detection: Sure
• Targets: Microsoft 365 customers in organizations globally

Recipients obtain an preliminary phishing electronic mail as step one on this marketing campaign. 

Phishing electronic mail with obfuscated payload contained inside the PDF attachment, displayed within the KnowBe4 PhishER portal. 

The payload – a phishing hyperlink – is obfuscated inside “nesting” PDF attachments. When a recipient opens the preliminary attachment on the phishing electronic mail, they’ll see a rendered doc with an extra hyperlink to click on. 

The primary of “nesting” PDF attachments that include the obfuscated payload.

As soon as the recipient engages with this hyperlink, they are going to be redirected to a second doc, containing one other hyperlink. 

Second “nested” malicious PDF with additional hyperlink to click on.

This layering of PDF attachments is designed to obfuscate the ultimate vacation spot – a phishing webpage – from safety instruments that may’t make successive hops between the completely different hyperlinks because of technical limitation or electronic mail supply (latency) service degree agreements (SLAs). 

The malicious payload is masked additional utilizing reputable and trusted CDN companies, which seem “benign” on inspection by safety instruments. 

9 Superior Evasion Strategies Used to Enhance Credential Harvesting

If a goal completes all of the hops by the nested PDF paperwork, they are going to be directed to a pixel-perfect rendering of a spoofed Microsoft 365 log-in web page. 

Credential-harvesting webpage that completely impersonates a reputable Microsoft 365 log-in web page.

When analyzing the web page, our researchers discovered that it contained 9 superior evasion methods to additional cut back the efficacy of safety tooling and filter safety analysts from different workers. 

1. Detection of developer instruments (DevTools): The code behind the webpage is designed to constantly monitor the browser atmosphere and terminate the session if it detects that DevTools is open, as this means that the web page is being inspected by safety analysts relatively than visited by a possible goal. 
2. Anti-debugger measures: Once more, embedded inside the code, are infinite loop debugger statements that trigger the browser to freeze or crash when debugging instruments are lively. 
3. Window dimension monitoring: This tracks viewport measurement adjustments—a typical incidence when a safety analyst opens DevTools—to set off evasion protocols. Once more, that is designed to filter out analysts from different workers.
4. Context menu blocking: The correct-click menu and textual content choice is disabled to make it tougher for analysts to examine the code or extract URLs. 
5. Hidden honeypot kind fields to filter our safety software program: There are hidden fields inside the login kind which can be viewable when inspecting the webpages’ code however to not the human eye when the web page is loaded usually. These are used to detect automated scanners and safety bots (which can mechanically full all fields) to redirect them to benign content material to masks the assault. An individual, in the meantime, gained’t know the fields are there (with out inspecting the code) and due to this fact will stay on the phishing webpage. 
6. Mouse and behavioral monitoring: This information mouse motion patterns, clicks and scrolling. The malicious content material—the fraudulent Microsoft 365 login web page—will solely be displayed after confirming human-like habits, successfully defeating headless browsers and automatic sandboxes.
7. Console operate override: This hijacks the browser console features to suppress error messages and conceal debugging output from safety analysts.
8. Textual content obfuscation: Invisible HTML parts and zero-width characters are injected into the webpage to defeat pattern-matching instruments with out affecting the best way the webpage seems to the human eye.
9. Community Monitoring: Outbound requests are tracked to establish sandbox or monitored environments, remaining dormant if safety tooling is detected.

Phishing webpage code revealing evasion methods.

Bypassing MFA In Actual Time

Lastly, the sting on this marketing campaign’s tail is its potential to bypass MFA in actual time. The marketing campaign accommodates an lively man-in-the-middle connection that leverage reputable Microsoft servers to supply: 

• Actual-time validation of the sufferer’s credentials
• Adaptive show, which identifies the MFA strategies (akin to authenticator push, TOTP codes, SMS-based OTP or voice calls) that the sufferer has configured and dynamically adjusts the faux web page to indicate solely these choices
• Problem relay that pushes genuine MFA prompts from Microsoft to the sufferer’s gadget by the faux web page, guaranteeing the sufferer sees an actual, trusted authentication problem

Our analysts decided that the next MFA strategies have been focused: 

This clear bypass of MFA instruments grants attackers with instant and full entry to the sufferer’s Microsoft 365 atmosphere. With this entry, a cybercriminal can leverage the account for actions akin to enterprise electronic mail compromise (BEC), deploying ransomware and knowledge exfiltration. 

HTML code  exhibiting MFA bypass approach.

Assault Chain Evaluation With MITRE Techniques, Strategies and Procedures (TTPs)

Tips on how to Shield Your Group From These Assaults

Regardless of the technical measures used to obfuscate this marketing campaign from normal safety instruments, organizations can take a number of steps to assist defend their workers from falling sufferer to those assaults. 

The primary is to degree up electronic mail safety so the assault is detected—and neutralized—earlier than workers might be taken sufferer. As demonstrated, this assault is designed to get by the detection measures utilized by SEGs. Consequently, organizations should layer a sophisticated built-in cloud electronic mail safety (ICES) product, akin to KnowBe4 Defend, into their tech stacks. These merchandise take a zero-trust strategy to inbound emails—no matter components akin to whether or not a payload seems benign—and implement AI-powered detection mechanisms to holistically examine all facets of each electronic mail to supply a better degree of efficacy when detecting phishing assaults. 

Moreover, organizations can complement this by updating electronic mail filtering guidelines to flag PDF attachments that include embedded URI actions with a number of or encoded URL parameters. Different technical measures embrace blocking indicators of compromise (IOCs), akin to implementing community blocks for the domains and URLs which were recognized as malicious. Safety analysts must also audit current MFA authentications for suspicious patterns. 

Lastly, consumer consciousness stays a vital facet of organizational protection. As this assault requires the goal to click on by a number of PDF layers till they attain the top vacation spot, there may be better alternative for them to comprehend they’re interacting with uncommon—doubtless malicious—content material and report the assault earlier than compromise happens.

These steps will allow organizations to make sure they’ve sturdy defenses in place to stop more and more technical assaults which can be designed to evade the usual safety tooling they’ve come to depend on.