Context
On August 3, 2022, ZScaler researchers reported the technical details of an adversary in the middle (AiTM) campaign active since at least June 2022. The RH-ISAC team believes, based on timing and nearly identical tactics, techniques, and procedures (TTPs), that this campaign is likely connected to highly similar activity previously reported by Microsoft.
Key findings from ZScaler’s report include:
- Corporate users of Microsoft’s email services are the main targets of this large-scale phishing campaign.
- All phishing attacks begin with an email sent to the victim with a malicious link.
- The campaign is active at the time of blog publication and new phishing domains are registered almost every day by the threat actor.
- In some cases, the business emails of executives were compromised using this phishing attack and later used to send further phishing emails as part of the same campaign.
- Some of the key industry verticals such as FinTech, Lending, Insurance, Energy and Manufacturing in geographical regions such as the U.S., U.K., New Zealand, and Australia are targeted.
- A custom proxy-based phishing kit capable of bypassing multi-factor authentication (MFA) is used in these attacks.
- Various cloaking and browser fingerprinting techniques are leveraged by the threat actor to bypass automated URL analysis systems.
- Numerous URL redirection methods are used to evade corporate email URL analysis solutions.
- Legitimate online code editing services such as CodeSandbox and Glitch are abused to increase the shelf life of the campaign.
RH-ISAC Analysis
The RH-ISAC intel team assesses with moderate confidence that this activity is closely related to the AiTM campaign reported by Microsoft on June 12, 2022. This is based on the time frame of the attacks and similar TTPs, listed here:
- Zscaler researchers found multiple newly registered domains focused on targeting Microsoft mail users.
- Researchers observed that the attacker logged into a lure account, 8 minutes after researchers sent credentials to the attacker’s server.
- Phishing domains in the campaign imitated legitimate financial organizations.
- Phishing emails appeared to come from legitimate email addresses from imitated organizations, indicating that threat actors may have compromised business email accounts to leverage in the attacks.
- Phishing emails contained links either in the body of the email or inside and HTML file attachment.
- Phishing sites were delivered, redirected to, and hosted using diverse methods.
- Using redirects and proxy pages for credential harvesting helped threat actors circumvent multifactor authentication (MFA) protection.
After compromising the lure account, ZScaler researchers observed attackers logging into the account, reading emails, and checking user profile information. This tactic makes it difficult to concretely determine the final motivation of the campaign beyond reconnaissance and account compromise.
IOCs
Researchers at Zscaler reported the following indicators of compromise (IOCs):
| Indicator | Type | Notes |
| 0mx1lntastantretatlanpassword[.]com | Domain | Phishing Domain |
| 0mxus3rauthkeepsame[.]com | Domain | Phishing Domain |
| 10311landex[.]com | Domain | Phishing Domain |
| 206pms[.]com | Domain | Phishing Domain |
| 2nbskull[.]com | Domain | Phishing Domain |
| 333-77-6578-929-000[.]info | Domain | Phishing Domain |
| 34533teams[.]xyz | Domain | Phishing Domain |
| 365jhsgbxsncnsuye67[.]live | Domain | Phishing Domain |
| 365maineventco[.]com | Domain | Phishing Domain |
| 365voicemessage[.]com | Domain | Phishing Domain |
| 3dfzlrtsiwfibvfyql96zt[.]live | Domain | Phishing Domain |
| 455b3105mssvr[.]ml | Domain | Phishing Domain |
| 5d4ba5ca-d814-4049-8ea3-af505f6e1e01[.]info | Domain | Phishing Domain |
| 5thcolumn[.]accountant | Domain | Phishing Domain |
| 7dmjmg20p8mty1nzexnjgzoc40ljeumty1nzexnzqxny4yng[.]co | Domain | Phishing Domain |
| 7dmjmg20p8mty1ody5mjm4ms4xms4x[.]live | Domain | Phishing Domain |
| aaaaclub[.]net | Domain | Phishing Domain |
| aaaaoffice635u[.]com | Domain | Phishing Domain |
| abg-serviices[.]com | Domain | Phishing Domain |
| accionabdjv[.]ca | Domain | Phishing Domain |
| accvcam[.]com | Domain | Phishing Domain |
| acehomproducts[.]com | Domain | Phishing Domain |
| acqureioil[.]com | Domain | Phishing Domain |
| acuciondi[.]com | Domain | Phishing Domain |
| adlokali[.]com | Domain | Phishing Domain |
| adobe-06195[.]com | Domain | Phishing Domain |
| adobe-20648[.]com | Domain | Phishing Domain |
| adobe-54836[.]com | Domain | Phishing Domain |
| adobe-69451[.]com | Domain | Phishing Domain |
| adobe-91506[.]com | Domain | Phishing Domain |
| agoaci[.]click | Domain | Phishing Domain |
| agre-ae[.]com | Domain | Phishing Domain |
| agronne[.]com | Domain | Phishing Domain |
| aibels[.]com | Domain | Phishing Domain |
| aibie[.]me | Domain | Phishing Domain |
| aimedical[.]click | Domain | Phishing Domain |
| ainorsigns[.]co | Domain | Phishing Domain |
| ainswat[.]com | Domain | Phishing Domain |
| aismare[.]us | Domain | Phishing Domain |
| alamarcosmetics[.]xyz | Domain | Phishing Domain |
| alamoudiexchange-online[.]com | Domain | Phishing Domain |
| alamoudiexchang-online[.]com | Domain | Phishing Domain |
| alexmakanaki[.]com | Domain | Phishing Domain |
| almflrm[.]com | Domain | Phishing Domain |
| alnapeckagingco[.]com | Domain | Phishing Domain |
| altoma-report[.]com | Domain | Phishing Domain |
| amat-us[.]com | Domain | Phishing Domain |
| ambleasia[.]co | Domain | Phishing Domain |
| aminocx[.]xyz | Domain | Phishing Domain |
| am-jlll[.]com | Domain | Phishing Domain |
| appsinfo[.]xyz | Domain | Phishing Domain |
| aqkagjmyzg0otu5ltaznmitndjjms04zwrhlwnknd[.]us | Domain | Phishing Domain |
| aqriko[.]com | Domain | Phishing Domain |
| aquitainewine[.]click | Domain | Phishing Domain |
| araedt[.]com | Domain | Phishing Domain |
| aritcac[.]com | Domain | Phishing Domain |
| ascisoft[.]com | Domain | Phishing Domain |
| asdfghgfdsa[.]com | Domain | Phishing Domain |
| asianwaterjet[.]com | Domain | Phishing Domain |
| asn4[.]xyz | Domain | Phishing Domain |
| assetprovidingsupport[.]xyz | Domain | Phishing Domain |
| assoulne[.]com | Domain | Phishing Domain |
| atg1[.]xyz | Domain | Phishing Domain |
| atg2[.]xyz | Domain | Phishing Domain |
| audlgreenville[.]com | Domain | Phishing Domain |
| aufdreworld[.]com | Domain | Phishing Domain |
| auhrticezemkrt[.]com | Domain | Phishing Domain |
| auth17[.]com | Domain | Phishing Domain |
| autsolut[.]net | Domain | Phishing Domain |
| avantscapital[.]com | Domain | Phishing Domain |
| avis-corporation[.]com | Domain | Phishing Domain |
| azurenetworksauthx[.]us | Domain | Phishing Domain |
| baincoorp[.]com | Domain | Phishing Domain |
| bannesco[.]com | Domain | Phishing Domain |
| basinposal[.]com | Domain | Phishing Domain |
| bat-machinebouw[.]click | Domain | Phishing Domain |
| bbld[.]xyz | Domain | Phishing Domain |
| bckoffice[.]com | Domain | Phishing Domain |
| bdudhurujrhrsvdgdg[.]com | Domain | Phishing Domain |
| behringermails[.]com | Domain | Phishing Domain |
| benchrnark[.]com | Domain | Phishing Domain |
| bergspyderus[.]click | Domain | Phishing Domain |
| berightpw[.]com | Domain | Phishing Domain |
| bevcapmanagements[.]com | Domain | Phishing Domain |
| bewine[.]click | Domain | Phishing Domain |
| biibbeo[.]com | Domain | Phishing Domain |
| biofrontera-online[.]com | Domain | Phishing Domain |
| blackmorcpa[.]co | Domain | Phishing Domain |
| blockhoury[.]com | Domain | Phishing Domain |
| bluestoneqrp[.]com | Domain | Phishing Domain |
| bluewaterlogisticsgroups[.]com | Domain | Phishing Domain |
| boghdetgtahstak[.]com | Domain | Phishing Domain |
| bollinger-news[.]com | Domain | Phishing Domain |
| braagenh[.]com | Domain | Phishing Domain |
| brabinfo[.]xyz | Domain | Phishing Domain |
| bragmutual[.]org | Domain | Phishing Domain |
| brandisaw[.]pics | Domain | Phishing Domain |
| breadlaof[.]com | Domain | Phishing Domain |
| brendghsgsddczx[.]com | Domain | Phishing Domain |
| brentags[.]com | Domain | Phishing Domain |
| bryologyx[.]click | Domain | Phishing Domain |
| btfufu[.]com | Domain | Phishing Domain |
| btxinc[.]click | Domain | Phishing Domain |
| buildintegrated[.]click | Domain | Phishing Domain |
| businessresourceshq[.]com | Domain | Phishing Domain |
| buyhhcwholesale[.]com | Domain | Phishing Domain |
| c4xnjf[.]com | Domain | Phishing Domain |
| caassoclates[.]com | Domain | Phishing Domain |
| calling-phone[.]xyz | Domain | Phishing Domain |
| calspass[.]com | Domain | Phishing Domain |
| capitaln[.]org | Domain | Phishing Domain |
| casgravels[.]com | Domain | Phishing Domain |
| cds-ddd[.]com | Domain | Phishing Domain |
| celticvc[.]org | Domain | Phishing Domain |
| centament[.]com | Domain | Phishing Domain |
| chanpionpromotion[.]com | Domain | Phishing Domain |
| chemtge[.]com | Domain | Phishing Domain |
| chismstrategiies[.]com | Domain | Phishing Domain |
| cidkslhtrifmentinimtimesoffdots[.]xyz | Domain | Phishing Domain |
| cilakemillswius[.]click | Domain | Phishing Domain |
| cinquefonti[.]click | Domain | Phishing Domain |
| ci-resuorces[.]com | Domain | Phishing Domain |
| cityfederalcv[.]com | Domain | Phishing Domain |
| cityofchlcago[.]org | Domain | Phishing Domain |
| clearloginmailbox[.]com | Domain | Phishing Domain |
| clemenhagen[.]com | Domain | Phishing Domain |
| cloud-distributions[.]com | Domain | Phishing Domain |
| cnptrd[.]com | Domain | Phishing Domain |
| coastllnecapital[.]com | Domain | Phishing Domain |
| cohorted[.]click | Domain | Phishing Domain |
| colonyretirement[.]org | Domain | Phishing Domain |
| comlivess[.]com | Domain | Phishing Domain |
| commtraclfloors[.]com | Domain | Phishing Domain |
| comoholdingusa[.]com | Domain | Phishing Domain |
| comoutlooks[.]com | Domain | Phishing Domain |
| congregationanshaitorah[.]com | Domain | Phishing Domain |
| corned[.]co | Domain | Phishing Domain |
| costaenergyllc-report[.]com | Domain | Phishing Domain |
| cpipaneiis[.]com | Domain | Phishing Domain |
| craateoronlineecergynewnote[.]xyz | Domain | Phishing Domain |
| craigsintl[.]com | Domain | Phishing Domain |
| crossvalleyfcv[.]org | Domain | Phishing Domain |
| crswell[.]com | Domain | Phishing Domain |
| cscsteelsusa[.]com | Domain | Phishing Domain |
| cullensolicitors[.]com | Domain | Phishing Domain |
| cvcolebrook[.]click | Domain | Phishing Domain |
| damerche[.]com | Domain | Phishing Domain |
| dastoffidhtrifmentinimtimesoffdots[.]xyz | Domain | Phishing Domain |
| dastoffkmentinimtimesoffdoctas[.]ninja | Domain | Phishing Domain |
| davisellen[.]com | Domain | Phishing Domain |
| dbfjkndkhvsjfdyjdbdih[.]com | Domain | Phishing Domain |
| dechanghitach[.]com | Domain | Phishing Domain |
| dechocoladefabriek[.]click | Domain | Phishing Domain |
| dedrone-online[.]com | Domain | Phishing Domain |
| deseuwhioaks[.]xyz | Domain | Phishing Domain |
| destrooper-olivier[.]click | Domain | Phishing Domain |
| dextermags[.]com | Domain | Phishing Domain |
| dfrfeedback7w[.]com | Domain | Phishing Domain |
| difioreconstructions[.]net | Domain | Phishing Domain |
| dirtymoneydenger[.]xyz | Domain | Phishing Domain |
| discoverlewis[.]co | Domain | Phishing Domain |
| disgros[.]com | Domain | Phishing Domain |
| djtransportatlon[.]com | Domain | Phishing Domain |
| dkdnspmeitlo[.]com | Domain | Phishing Domain |
| dkfkofbnfiufbihfiuf[.]com | Domain | Phishing Domain |
| dlago[.]co | Domain | Phishing Domain |
| dlfcgzgpgwrdfjtkszrbzpzpwpndkd[.]com | Domain | Phishing Domain |
| dnsnamess[.]com | Domain | Phishing Domain |
| documentsharepoint[.]com | Domain | Phishing Domain |
| douglassedist[.]com | Domain | Phishing Domain |
| downs-energys[.]com | Domain | Phishing Domain |
| dphinc[.]org | Domain | Phishing Domain |
| drdrgroup[.]org | Domain | Phishing Domain |
| drussellccigroup[.]com | Domain | Phishing Domain |
| dse01[.]com | Domain | Phishing Domain |
| dsjusfd-lth[.]com | Domain | Phishing Domain |
| durascrete[.]com | Domain | Phishing Domain |
| dustaslde[.]com | Domain | Phishing Domain |
| dyndjdbhdjakshd[.]com | Domain | Phishing Domain |
| dynnata[.]com | Domain | Phishing Domain |
| ebclh[.]org | Domain | Phishing Domain |
| efcotac[.]com | Domain | Phishing Domain |
| efscystems[.]com | Domain | Phishing Domain |
| ehdd[.]net | Domain | Phishing Domain |
| ehdgffdsfd-bdvdbfdyue34dsscdssd[.]me | Domain | Phishing Domain |
| eiiisdone[.]com | Domain | Phishing Domain |
| ejidoater[.]com | Domain | Phishing Domain |
| elecorporattion[.]com | Domain | Phishing Domain |
| electronictransmission[.]net | Domain | Phishing Domain |
| elistsair[.]com | Domain | Phishing Domain |
| emailaccess-expirynotification[.]com | Domain | Phishing Domain |
| emailaccess-passwordnotice[.]com | Domain | Phishing Domain |
| email-verification-access-password-notificafions[.]com | Domain | Phishing Domain |
| emediartslab[.]com | Domain | Phishing Domain |
| encorebrard[.]com | Domain | Phishing Domain |
| encores-bz[.]com | Domain | Phishing Domain |
| endoselec[.]com | Domain | Phishing Domain |
| envizai[.]com | Domain | Phishing Domain |
| eriecommunltyfcu[.]org | Domain | Phishing Domain |
| etacenter[.]com | Domain | Phishing Domain |
| etiselat[.]com | Domain | Phishing Domain |
| etxfabs[.]com | Domain | Phishing Domain |
| eu-biuestarinc[.]com | Domain | Phishing Domain |
| excelavgroups[.]com | Domain | Phishing Domain |
| excelville[.]com | Domain | Phishing Domain |
| expirationrequest-passwordreminder[.]com | Domain | Phishing Domain |
| expiryrequest-mailaccess[.]com | Domain | Phishing Domain |
| exyta[.]net | Domain | Phishing Domain |
| fabirtek[.]com | Domain | Phishing Domain |
| fabrinet-globals[.]com | Domain | Phishing Domain |
| fabrinets[.]com | Domain | Phishing Domain |
| fahdsuk[.]com | Domain | Phishing Domain |
| faircapitallc[.]com | Domain | Phishing Domain |
| fcmilndia[.]com | Domain | Phishing Domain |
| fgtsolutions[.]co | Domain | Phishing Domain |
| filkjooor[.]com | Domain | Phishing Domain |
| finalmanstandlap[.]com | Domain | Phishing Domain |
| fiorettl[.]com | Domain | Phishing Domain |
| fiplodjfjfjnxjisski[.]com | Domain | Phishing Domain |
| firstablenefcu[.]org | Domain | Phishing Domain |
| flakestld[.]us | Domain | Phishing Domain |
| flowerandmore[.]biz | Domain | Phishing Domain |
| fmh-corp[.]org | Domain | Phishing Domain |
| foodjet[.]click | Domain | Phishing Domain |
| forbedentallab[.]com | Domain | Phishing Domain |
| fr-ggori[.]xyz | Domain | Phishing Domain |
| friendsofc-online[.]com | Domain | Phishing Domain |
| frontofflcce[.]com | Domain | Phishing Domain |
| fulier[.]ca | Domain | Phishing Domain |
| galatachemicals[.]net | Domain | Phishing Domain |
| garefl[.]com | Domain | Phishing Domain |
| gassentec[.]com | Domain | Phishing Domain |
| gatewaytubular[.]com | Domain | Phishing Domain |
| generalstores-be[.]click | Domain | Phishing Domain |
| genevainn[.]org | Domain | Phishing Domain |
| gennfed[.]com | Domain | Phishing Domain |
| ghllamak[.]com | Domain | Phishing Domain |
| ghvgghjjhbhbhb[.]com | Domain | Phishing Domain |
| gianjet[.]com | Domain | Phishing Domain |
| gimc-cocktail[.]com | Domain | Phishing Domain |
| girvlnassoc[.]net | Domain | Phishing Domain |
| goarnstrong[.]com | Domain | Phishing Domain |
| graycardinal[.]ca | Domain | Phishing Domain |
| greatwauecom[.]com | Domain | Phishing Domain |
| greenstalkholding[.]com | Domain | Phishing Domain |
| gsokoauyilpoi[.]com | Domain | Phishing Domain |
| gspwii[.]com | Domain | Phishing Domain |
| guardanthealths[.]com | Domain | Phishing Domain |
| hafe1e[.]com | Domain | Phishing Domain |
| haglaegis[.]com | Domain | Phishing Domain |
| halalog[.]com | Domain | Phishing Domain |
| halesjewelers[.]org | Domain | Phishing Domain |
| harvestclhurchba[.]com | Domain | Phishing Domain |
| hasseco[.]co | Domain | Phishing Domain |
| hawaiianpr0p[.]com | Domain | Phishing Domain |
| hcisystem[.]net | Domain | Phishing Domain |
| healths-law[.]com | Domain | Phishing Domain |
| heibraunievey[.]com | Domain | Phishing Domain |
| hgjvdfvfh[.]com | Domain | Phishing Domain |
| hhppny[.]com | Domain | Phishing Domain |
| hidefsurveying[.]info | Domain | Phishing Domain |
| hjdlsksfhhn[.]com | Domain | Phishing Domain |
| hokualakavai[.]com | Domain | Phishing Domain |
| holder-fcl[.]com | Domain | Phishing Domain |
| horizonholdlngs[.]com | Domain | Phishing Domain |
| horstandgrabenwealth[.]xyz | Domain | Phishing Domain |
| hsshd729s[.]com | Domain | Phishing Domain |
| huguhsings[.]com | Domain | Phishing Domain |
| iaunchfinance[.]com | Domain | Phishing Domain |
| imperialprecision[.]org | Domain | Phishing Domain |
| inboxmainchil[.]com | Domain | Phishing Domain |
| infokeysinc-mlcrosoftpasswdd[.]com | Domain | Phishing Domain |
| infomicrosoft[.]net | Domain | Phishing Domain |
| innfinancial[.]net | Domain | Phishing Domain |
| insaertab[.]com | Domain | Phishing Domain |
| instagzone[.]com | Domain | Phishing Domain |
| intelliclicksoftware-online[.]software | Domain | Phishing Domain |
| intrepidpotashs[.]com | Domain | Phishing Domain |
| ireataeoronlineecergynewnote[.]xyz | Domain | Phishing Domain |
| isccontractings[.]com | Domain | Phishing Domain |
| ispschools[.]co | Domain | Phishing Domain |
| itsonlinewiththefileofficeofficial[.]xyz | Domain | Phishing Domain |
| iukygt98yu09i8iuy908iuy908iuytrgfh67[.]com | Domain | Phishing Domain |
| jcb[.]cx | Domain | Phishing Domain |
| jsptsenergy[.]com | Domain | Phishing Domain |
| jukiyq[.]com | Domain | Phishing Domain |
| junnioehsnsbh7[.]me | Domain | Phishing Domain |
| kathisp[.]com | Domain | Phishing Domain |
| kbnoffice[.]com | Domain | Phishing Domain |
| keep356fgfhgutryt[.]com | Domain | Phishing Domain |
| keepsettingsinfoanon[.]com | Domain | Phishing Domain |
| kickte[.]com | Domain | Phishing Domain |
| kiymanfinancial[.]com | Domain | Phishing Domain |
| kj4brvghvjk[.]com | Domain | Phishing Domain |
| kleinfalder[.]com | Domain | Phishing Domain |
| klimateshield[.]net | Domain | Phishing Domain |
| knyjbio[.]com | Domain | Phishing Domain |
| koc-tr[.]com | Domain | Phishing Domain |
| kreagermitchell[.]click | Domain | Phishing Domain |
| ktorresrray[.]com | Domain | Phishing Domain |
| kupolae[.]com | Domain | Phishing Domain |
| kushyedhfman[.]com | Domain | Phishing Domain |
| lakrvsm[.]com | Domain | Phishing Domain |
| lanckstele[.]com | Domain | Phishing Domain |
| lang-cq[.]com | Domain | Phishing Domain |
| leedseng[.]com | Domain | Phishing Domain |
| levaelld[.]com | Domain | Phishing Domain |
| lfiliumination[.]com | Domain | Phishing Domain |
| lifetechrned[.]com | Domain | Phishing Domain |
| litechcking[.]xyz | Domain | Phishing Domain |
| lityrest[.]com | Domain | Phishing Domain |
| liwsupply[.]com | Domain | Phishing Domain |
| lkhgfghccghgh366555[.]com | Domain | Phishing Domain |
| lmscorp-us[.]com | Domain | Phishing Domain |
| lnstream[.]net | Domain | Phishing Domain |
| lntrecash[.]com | Domain | Phishing Domain |
| logindri-veshare[.]live | Domain | Phishing Domain |
| loginmicrossft[.]co | Domain | Phishing Domain |
| logsettingsforlog[.]com | Domain | Phishing Domain |
| lointree[.]com | Domain | Phishing Domain |
| longetivity[.]co.uk | Domain | Phishing Domain |
| m0367d6378b355472d879736b7350[.]live | Domain | Phishing Domain |
| m0autthxxd47[.]com | Domain | Phishing Domain |
| mabdhufbwkshudgvhu[.]com | Domain | Phishing Domain |
| madasmaneudonedeo[.]com | Domain | Phishing Domain |
| mailpasswordexpiry-reminder[.]com | Domain | Phishing Domain |
| mailscancache[.]com | Domain | Phishing Domain |
| mailstoragenoticeonline[.]com | Domain | Phishing Domain |
| makairalandscaqe[.]com | Domain | Phishing Domain |
| managementlocks[.]com | Domain | Phishing Domain |
| mandnsjeyrusmskbdv[.]com | Domain | Phishing Domain |
| mansoolsnsjwuajshd[.]com | Domain | Phishing Domain |
| mapdatew[.]com | Domain | Phishing Domain |
| marshwestin[.]com | Domain | Phishing Domain |
| marynellmalonyelawfirm[.]com | Domain | Phishing Domain |
| mashcapyusu[.]org | Domain | Phishing Domain |
| mashroecy[.]com | Domain | Phishing Domain |
| maxismstaffing[.]com | Domain | Phishing Domain |
| mcrosftpasswd-activity[.]com | Domain | Phishing Domain |
| melograno[.]click | Domain | Phishing Domain |
| meqal-secure[.]com | Domain | Phishing Domain |
| merrakii[.]com | Domain | Phishing Domain |
| messageallianceclue[.]com | Domain | Phishing Domain |
| mhkspartners[.]com | Domain | Phishing Domain |
| miccrosoftttoficee365[.]com | Domain | Phishing Domain |
| miccrrosoftsecure[.]com | Domain | Phishing Domain |
| microtki[.]com | Domain | Phishing Domain |
| mindfulbirthnj[.]com | Domain | Phishing Domain |
| mirevabalika[.]xyz | Domain | Phishing Domain |
| mlcc-asminternational[.]us | Domain | Phishing Domain |
| mllklabor[.]org | Domain | Phishing Domain |
| mlly[.]xyz | Domain | Phishing Domain |
| moralibbx[.]xyz | Domain | Phishing Domain |
| morent[.]co | Domain | Phishing Domain |
| moreoff376[.]com | Domain | Phishing Domain |
| morrisonheshfield[.]com | Domain | Phishing Domain |
| mrecateoronlineecergynewnote[.]xyz | Domain | Phishing Domain |
| mscenter-exchangeinfo[.]ga | Domain | Phishing Domain |
| mscenter-exchangeprotect[.]ga | Domain | Phishing Domain |
| mscenter-exchangeprotect[.]ml | Domain | Phishing Domain |
| mscenter-protectexchange[.]ga | Domain | Phishing Domain |
| mscenter-protectexchange[.]ml | Domain | Phishing Domain |
| mscenters-exchangeprotects[.]ga | Domain | Phishing Domain |
| mscenters-exchangeprotects[.]ml | Domain | Phishing Domain |
| mscomplaince-exchangemx[.]ga | Domain | Phishing Domain |
| mscomplaince-exchangemx[.]ml | Domain | Phishing Domain |
| mservcfrduud[.]com | Domain | Phishing Domain |
| mslawtc[.]com | Domain | Phishing Domain |
| mso-10[.]com | Domain | Phishing Domain |
| mso-4[.]com | Domain | Phishing Domain |
| mso-6[.]com | Domain | Phishing Domain |
| msokool[.]com | Domain | Phishing Domain |
| msonline[.]club | Domain | Phishing Domain |
| msprotect-exchangemx[.]cf | Domain | Phishing Domain |
| msprotect-exchangemx[.]ml | Domain | Phishing Domain |
| mssoleop[.]com | Domain | Phishing Domain |
| mtfbs[.]click | Domain | Phishing Domain |
| mxfdsam3new[.]com | Domain | Phishing Domain |
| mypage-corporate[.]com | Domain | Phishing Domain |
| myplos[.]com | Domain | Phishing Domain |
| nailbur[.]com | Domain | Phishing Domain |
| nanbhx[.]com | Domain | Phishing Domain |
| nce-sg[.]com | Domain | Phishing Domain |
| netcapittal[.]com | Domain | Phishing Domain |
| newmanregencytransmission[.]com | Domain | Phishing Domain |
| newmansimpsons[.]com | Domain | Phishing Domain |
| newrecalluser[.]com | Domain | Phishing Domain |
| newttech-sys[.]com | Domain | Phishing Domain |
| nfnoffice[.]com | Domain | Phishing Domain |
| nkccpa[.]com | Domain | Phishing Domain |
| nlmeks[.]com | Domain | Phishing Domain |
| nmed-lab[.]com | Domain | Phishing Domain |
| nordicstrustee[.]com | Domain | Phishing Domain |
| northvolts[.]com | Domain | Phishing Domain |
| ntgent-be[.]click | Domain | Phishing Domain |
| nutritionadvisors[.]org | Domain | Phishing Domain |
| ny-vee[.]co | Domain | Phishing Domain |
| oauth7[.]com | Domain | Phishing Domain |
| ofccuu[.]com | Domain | Phishing Domain |
| officefilest[.]com | Domain | Phishing Domain |
| officeoutteamworkstation[.]com | Domain | Phishing Domain |
| offilincom[.]com | Domain | Phishing Domain |
| offjkhgvc[.]com | Domain | Phishing Domain |
| offwmi[.]com | Domain | Phishing Domain |
| oniline-mics[.]com | Domain | Phishing Domain |
| onlineoffce[.]com | Domain | Phishing Domain |
| onlinservices[.]club | Domain | Phishing Domain |
| onsettingsdav[.]com | Domain | Phishing Domain |
| ophoustons[.]com | Domain | Phishing Domain |
| oreqonaero[.]com | Domain | Phishing Domain |
| os1connect[.]com | Domain | Phishing Domain |
| oslappy[.]com | Domain | Phishing Domain |
| oufcv[.]com | Domain | Phishing Domain |
| ourin[.]xyz | Domain | Phishing Domain |
| outlookfilesauthentication[.]com | Domain | Phishing Domain |
| ovfcv[.]com | Domain | Phishing Domain |
| owlautoai[.]com | Domain | Phishing Domain |
| owlwarrantyai[.]com | Domain | Phishing Domain |
| oxtelidi[.]com | Domain | Phishing Domain |
| paccommtg[.]com | Domain | Phishing Domain |
| paceqallery[.]com | Domain | Phishing Domain |
| paksolvtionsusa[.]com | Domain | Phishing Domain |
| palcogenerator[.]com | Domain | Phishing Domain |
| pars-org[.]com | Domain | Phishing Domain |
| passportinc-onlinecom[.]com | Domain | Phishing Domain |
| password00verification385518485[.]com | Domain | Phishing Domain |
| password0verify6767971208[.]com | Domain | Phishing Domain |
| pathwavscu[.]com | Domain | Phishing Domain |
| patterrnenergy[.]com | Domain | Phishing Domain |
| pbiapp[.]com | Domain | Phishing Domain |
| pelladrect[.]com | Domain | Phishing Domain |
| pepslco[.]com | Domain | Phishing Domain |
| perfectsmile-dcntal[.]com | Domain | Phishing Domain |
| perkinlawtx[.]com | Domain | Phishing Domain |
| permobill[.]com | Domain | Phishing Domain |
| pflzer[.]co | Domain | Phishing Domain |
| pheniexnt[.]com | Domain | Phishing Domain |
| pilarcu[.]com | Domain | Phishing Domain |
| playboyhouse[.]xyz | Domain | Phishing Domain |
| playersoft[.]co | Domain | Phishing Domain |
| poetape[.]com | Domain | Phishing Domain |
| poiu767678i89p98o7o98po9p7p67p7op654re[.]com | Domain | Phishing Domain |
| portalquery-expirynotice[.]com | Domain | Phishing Domain |
| portalresolve-reminder[.]com | Domain | Phishing Domain |
| portconnfcuu[.]com | Domain | Phishing Domain |
| povndmgt[.]com | Domain | Phishing Domain |
| pqkkwkkskdjqwpokhjqoqpqpakqpqiwqqpqowqpwooq[.]com | Domain | Phishing Domain |
| preferred-properties[.]info | Domain | Phishing Domain |
| pressin[.]xyz | Domain | Phishing Domain |
| pretressservices[.]com | Domain | Phishing Domain |
| priaso[.]com | Domain | Phishing Domain |
| primwests[.]com | Domain | Phishing Domain |
| progressim[.]click | Domain | Phishing Domain |
| project-scop[.]com | Domain | Phishing Domain |
| project-scop[.]live | Domain | Phishing Domain |
| psscontractor[.]com | Domain | Phishing Domain |
| pyxislogistics[.]click | Domain | Phishing Domain |
| qsummary[.]online | Domain | Phishing Domain |
| quintadapraiaverde[.]com | Domain | Phishing Domain |
| qwlckrate[.]com | Domain | Phishing Domain |
| r4services[.]org | Domain | Phishing Domain |
| radsotek[.]com | Domain | Phishing Domain |
| railsone-usa[.]com | Domain | Phishing Domain |
| ramsmtgcaps[.]com | Domain | Phishing Domain |
| ranndlog[.]com | Domain | Phishing Domain |
| raptrotech[.]com | Domain | Phishing Domain |
| rchrsc[.]com | Domain | Phishing Domain |
| reddinc[.]org | Domain | Phishing Domain |
| registration-forms[.]us | Domain | Phishing Domain |
| reidterrasolution[.]com | Domain | Phishing Domain |
| res-report[.]us | Domain | Phishing Domain |
| riuyimachine[.]com | Domain | Phishing Domain |
| rmcdmcc[.]com | Domain | Phishing Domain |
| rnechcollc[.]com | Domain | Phishing Domain |
| rodlncoinc[.]com | Domain | Phishing Domain |
| ructioninc[.]com | Domain | Phishing Domain |
| sablepw[.]top | Domain | Phishing Domain |
| safelinks[.]online | Domain | Phishing Domain |
| saicorp[.]co | Domain | Phishing Domain |
| salesforcie[.]com | Domain | Phishing Domain |
| sancoent[.]org | Domain | Phishing Domain |
| sanleandroford[.]click | Domain | Phishing Domain |
| sbvdjhsadbvjfrkuvfbhdhd[.]com | Domain | Phishing Domain |
| scbhubonc[.]co | Domain | Phishing Domain |
| schmidoffice[.]click | Domain | Phishing Domain |
| scotchdale[.]click | Domain | Phishing Domain |
| secrelogrussmake[.]com | Domain | Phishing Domain |
| sembmarine-online[.]com | Domain | Phishing Domain |
| seneca-report[.]com | Domain | Phishing Domain |
| serviceproviderrs[.]com | Domain | Phishing Domain |
| servicewebofficeindex361loginemail[.]online | Domain | Phishing Domain |
| settings0365[.]com | Domain | Phishing Domain |
| shaftdesign[.]click | Domain | Phishing Domain |
| shapshap22[.]com | Domain | Phishing Domain |
| share-access-notifications[.]com | Domain | Phishing Domain |
| sharepoint-access-notifications[.]com | Domain | Phishing Domain |
| shdjfbfjfskjdfyfgngjgjg[.]com | Domain | Phishing Domain |
| shelils[.]com | Domain | Phishing Domain |
| shenoeup[.]com | Domain | Phishing Domain |
| siemens-energv[.]com | Domain | Phishing Domain |
| siktadmog[.]com | Domain | Phishing Domain |
| single-temps[.]com | Domain | Phishing Domain |
| situationintarective[.]com | Domain | Phishing Domain |
| sixspartnerrs[.]com | Domain | Phishing Domain |
| sjsjsjsjsjsjsjsssjsj[.]club | Domain | Phishing Domain |
| slakdkslpeop[.]com | Domain | Phishing Domain |
| somaloglc[.]org | Domain | Phishing Domain |
| spcc-toledo[.]net | Domain | Phishing Domain |
| sproquela[.]com | Domain | Phishing Domain |
| sroauth[.]xyz | Domain | Phishing Domain |
| ssosignons356[.]com | Domain | Phishing Domain |
| stablematerials[.]com | Domain | Phishing Domain |
| stanepp[.]org | Domain | Phishing Domain |
| steelwrists[.]com | Domain | Phishing Domain |
| stefany1990[.]click | Domain | Phishing Domain |
| stenfordedu[.]com | Domain | Phishing Domain |
| stocksfroozen[.]xyz | Domain | Phishing Domain |
| stonecastlepartnerrs[.]com | Domain | Phishing Domain |
| styguhidsyhuidsyzuhids7husd78xds7zx8ds7zx89jids[.]com | Domain | Phishing Domain |
| subsiquent-protection[.]xyz | Domain | Phishing Domain |
| substentialsecurepron[.]xyz | Domain | Phishing Domain |
| sumiy0shi[.]com | Domain | Phishing Domain |
| swesreport[.]com | Domain | Phishing Domain |
| sxhygdhsg[.]co | Domain | Phishing Domain |
| synergipartnars[.]com | Domain | Phishing Domain |
| sysvamps[.]com | Domain | Phishing Domain |
| tahoebiltmore[.]org | Domain | Phishing Domain |
| tankequipments[.]com | Domain | Phishing Domain |
| temcopi[.]com | Domain | Phishing Domain |
| teremilazer[.]com | Domain | Phishing Domain |
| terminalvfest[.]co.uk | Domain | Phishing Domain |
| terracon-report[.]com | Domain | Phishing Domain |
| terryappraisalsgroup[.]com | Domain | Phishing Domain |
| texantitle-report[.]com | Domain | Phishing Domain |
| theeveristco[.]com | Domain | Phishing Domain |
| thejyygroup[.]com | Domain | Phishing Domain |
| themaplob[.]com | Domain | Phishing Domain |
| thereportbot[.]com | Domain | Phishing Domain |
| tigoenergym1crosoft-passwd[.]com | Domain | Phishing Domain |
| tmasites[.]co.uk | Domain | Phishing Domain |
| tmhfcv[.]org | Domain | Phishing Domain |
| tonic-collective[.]live | Domain | Phishing Domain |
| triboro-fcv[.]org | Domain | Phishing Domain |
| tri-iinc[.]net | Domain | Phishing Domain |
| truebjj[.]com | Domain | Phishing Domain |
| tuemereliaz[.]com | Domain | Phishing Domain |
| ud8sa[.]com | Domain | Phishing Domain |
| ulakhaberlesme-online[.]com | Domain | Phishing Domain |
| unidinex[.]com | Domain | Phishing Domain |
| uniltedrental[.]com | Domain | Phishing Domain |
| unionblz[.]org | Domain | Phishing Domain |
| unltedrental[.]com | Domain | Phishing Domain |
| urbantrustscapital[.]com | Domain | Phishing Domain |
| urw-us[.]com | Domain | Phishing Domain |
| ushinsk[.]com | Domain | Phishing Domain |
| uswurskland[.]com | Domain | Phishing Domain |
| utpostra[.]com | Domain | Phishing Domain |
| uueb837en[.]com | Domain | Phishing Domain |
| uzomafoundation[.]com | Domain | Phishing Domain |
| valentern[.]com | Domain | Phishing Domain |
| vectaenvironml[.]xyz | Domain | Phishing Domain |
| venovoice[.]online | Domain | Phishing Domain |
| ventiott[.]com | Domain | Phishing Domain |
| vesonn[.]com | Domain | Phishing Domain |
| vicetelejhgvfhj[.]com | Domain | Phishing Domain |
| viewsprotech[.]com | Domain | Phishing Domain |
| villatelperu[.]com | Domain | Phishing Domain |
| vistabank-report[.]com | Domain | Phishing Domain |
| vitox[.]click | Domain | Phishing Domain |
| vm-buscall[.]club | Domain | Phishing Domain |
| vmonlineservice[.]xyz | Domain | Phishing Domain |
| vmsendermails[.]xyz | Domain | Phishing Domain |
| vm-service[.]xyz | Domain | Phishing Domain |
| vodafonex[.]online | Domain | Phishing Domain |
| von-lincs[.]shop | Domain | Phishing Domain |
| vrmarath0n[.]com | Domain | Phishing Domain |
| vurijuireiujmfdusijeruijmfudisjdsaim[.]com | Domain | Phishing Domain |
| waunacvorg[.]com | Domain | Phishing Domain |
| webcore2[.]com | Domain | Phishing Domain |
| webcore3[.]com | Domain | Phishing Domain |
| webmailservice[.]site | Domain | Phishing Domain |
| websecuritynotice[.]com | Domain | Phishing Domain |
| weldongranger[.]com | Domain | Phishing Domain |
| wellingtons-partners[.]com | Domain | Phishing Domain |
| westmariinfund[.]org | Domain | Phishing Domain |
| whoerkemshdh[.]com | Domain | Phishing Domain |
| wiliampenn[.]com | Domain | Phishing Domain |
| windssorservices[.]com | Domain | Phishing Domain |
| wis3po-1k60i5bn-jwza24[.]com | Domain | Phishing Domain |
| wittial[.]com | Domain | Phishing Domain |
| wonjiinco[.]com | Domain | Phishing Domain |
| workenterservice[.]com | Domain | Phishing Domain |
| worldexchangechbe[.]com | Domain | Phishing Domain |
| xcduoyuuwa[.]com | Domain | Phishing Domain |
| xlikk[.]com | Domain | Phishing Domain |
| yhjfdhgjdhunjdyuidesuidsuihjfdjkies[.]com | Domain | Phishing Domain |
| yickhoesgroup[.]com | Domain | Phishing Domain |
| yolmathy[.]com | Domain | Phishing Domain |
| zhongt0ng[.]org | Domain | Phishing Domain |
| clxbcj[.]codesandbox[.]io | Domain | Codesandbox URLs |
| c0poft[.]codesandbox[.]io | Domain | Codesandbox URLs |
| ekwg9l[.]codesandbox[.]io | Domain | Codesandbox URLs |
| epovr9[.]codesandbox[.]io | Domain | Codesandbox URLs |
| er849r[.]codesandbox[.]io | Domain | Codesandbox URLs |
| fnqynt[.]codesandbox[.]io | Domain | Codesandbox URLs |
| hjfsty[.]codesandbox[.]io | Domain | Codesandbox URLs |
| iz8ieq[.]codesandbox[.]io | Domain | Codesandbox URLs |
| jkvpu5[.]codesandbox[.]io | Domain | Codesandbox URLs |
| j3buwf[.]codesandbox[.]io | Domain | Codesandbox URLs |
| kg4pxm[.]codesandbox[.]io | Domain | Codesandbox URLs |
| k54431[.]codesandbox[.]io | Domain | Codesandbox URLs |
| k8zngr[.]codesandbox[.]io | Domain | Codesandbox URLs |
| lq1nq3[.]codesandbox[.]io | Domain | Codesandbox URLs |
| mvis9x[.]codesandbox[.]io | Domain | Codesandbox URLs |
| on8pb2[.]codesandbox[.]io | Domain | Codesandbox URLs |
| pc292i[.]codesandbox[.]io | Domain | Codesandbox URLs |
| pjoumm[.]codesandbox[.]io | Domain | Codesandbox URLs |
| quzqvm[.]codesandbox[.]io | Domain | Codesandbox URLs |
| rn8hs6[.]codesandbox[.]io | Domain | Codesandbox URLs |
| sjtug9[.]codesandbox[.]io | Domain | Codesandbox URLs |
| tz29yo[.]codesandbox[.]io | Domain | Codesandbox URLs |
| u2xyhg[.]codesandbox[.]io | Domain | Codesandbox URLs |
| xdtmw5[.]codesandbox[.]io | Domain | Codesandbox URLs |
| y7dp2d[.]codesandbox[.]io | Domain | Codesandbox URLs |
| zwec9y[.]codesandbox[.]io | Domain | Codesandbox URLs |
| 286755[.]codesandbox[.]io | Domain | Codesandbox URLs |
| 3fytwq[.]codesandbox[.]io | Domain | Codesandbox URLs |
| 34ovuk[.]codesandbox[.]io | Domain | Codesandbox URLs |
| 62zy6b[.]codesandbox[.]io | Domain | Codesandbox URLs |
| 660o5v[.]codesandbox[.]io | Domain | Codesandbox URLs |
| 7o7ttl[.]codesandbox[.]io | Domain | Codesandbox URLs |
| 77du0t[.]codesandbox[.]io | Domain | Codesandbox URLs |
| 8nk0ds[.]codesandbox[.]io | Domain | Codesandbox URLs |
| 9xybgc[.]codesandbox[.]io | Domain | Codesandbox URLs |
| bald-savory-whippoorwill[.]glitch[.]me | Domain | Glitch URLs |
| curvy-spiritual-dirt[.]glitch[.]me | Domain | Glitch URLs |
| deep-blossom-dichondra[.]glitch[.]me | Domain | Glitch URLs |
| jolly-hospitable-hygienic[.]glitch[.]me | Domain | Glitch URLs |
| prism-principled-eucalyptus[.]glitch[.]me | Domain | Glitch URLs |
| showy-clammy-riddle[.]glitch[.]me | Domain | Glitch URLs |
| tabby-pattern-curiosity[.]glitch[.]me | Domain | Glitch URLs |
