A complicated phishing marketing campaign concentrating on Italian and U.S. customers by means of pretend Microsoft OneNote login prompts designed to reap Workplace 365 and Outlook credentials.
The assault leverages reliable cloud companies and Telegram bots for information exfiltration, making detection considerably more difficult for conventional safety measures.
Phishing Marketing campaign Targets Italian Customers
The phishing operation begins with attackers internet hosting malicious pages on trusted platforms, together with Notion workspaces, Glitch domains, Google Docs, and RenderForest companies.
Victims obtain emails with topic traces like “New Doc Shared with you,” directing them to pretend OneNote pages that seem reliable.
Pretend OneNote login web page
The malicious pages current a number of authentication choices, together with Office365, Outlook, Rackspace, Aruba Mail, PEC, and different e mail companies.
Have a good time ANY.RUN’s Birthday – Get additional licenses free with our interactive sandbox till Might 31 – Attempt Right here
In line with ANY.RUN report, the marketing campaign particularly targets Italian customers and organizations, with phishing content material written in Italian and subdomain names containing Italian phrases.
Phishing login web page
The assault has been energetic since at the very least January 2022, demonstrating exceptional persistence and evolution over time.
The phishing pages make use of refined JavaScript code to seize sufferer credentials and IP addresses. The malware makes use of the ipify.org service to retrieve victims’ IP addresses by means of the next code implementation:
After credential assortment, the stolen information is exfiltrated through Telegram bots utilizing hardcoded bot tokens and chat IDs immediately embedded within the phishing script. The exfiltration mechanism constructs requests to Telegram’s API endpoint:
Researchers recognized a number of bot configurations all through the marketing campaign’s timeline, together with bots named “Sultanna” (@Sultannanewbot), “remaxx24” (@remaxx24bot), and “Resultant” (@Resultantnewbot).
Intercepted messages from the remaxx24 bot
The assault maintains persistence by redirecting victims to reliable Microsoft OneNote login pages after credential theft, creating an phantasm of legitimacy.
Evasion Methods and Evolution
The marketing campaign demonstrates important technical evolution over its operational lifetime. Early variants used URL encoding obfuscation and net kind submissions for information exfiltration.
Beginning February 2022, attackers transitioned to Telegram bot-based exfiltration with nested URL encoding (2-4 ranges deep).
Between July and December 2024, the risk actors experimented with Base64 obfuscation however subsequently deserted this system for unknown causes.
The attackers intentionally keep away from refined evasion strategies, suggesting both restricted technical experience or strategic deal with entry brokering reasonably than payload improvement.
Safety specialists suggest monitoring community site visitors for suspicious Telegram API communications, particularly requests to api.telegram.org containing the recognized bot tokens.
Organizations ought to implement behavioral sample detection for area chains following the “Notion → Glitch → Telegram API” construction and set up signature-based guidelines figuring out unauthorized Telegram bot exercise inside company networks.
The marketing campaign’s concentrating on of PEC (Posta Elettronica Certificata), Italy’s nationwide licensed e mail system, signifies potential targets extending past easy credential theft to enterprise e mail compromise and entry brokering inside cybercriminal ecosystems.
4 days left to degree up your SOC. Get sandbox licenses for sooner Menace Detection
