Request Your Demo

"*" indicates required fields

Contact Information

The end of May and first week of June 2025 saw a sharp uptick in zero-day phishing campaigns targeting corporate login credentials, with additional campaigns impersonating Amazon and even U.S. government login services (ID.me for IRS). Threat actors employed sophisticated evasive techniques – from multi-layer code encryption and clipboard hijacking to spoofing Microsoft’s own telemetry tools – allowing many of these credential harvesters to slip past traditional security filters. Here are some examples and highlights.

 

Phishing URLs

 

py3zy[.]rzcpsgsgtl[.]ru

4qedv[.]nubelith[.]es

manageapps[.]rkv[.]yeo[.]mybluehost[.]me

alcornic[.]com

bayviewsbuildermd[.]com

y2h1ux[.]de

oug1e[.]dzdyf[.]es

managesecure[.]log-in[.]information-reactivate-statement[.]prime[.]vmr[.]jtu[.]mybluehost[.]me

live.messages[.]landscapeeconomics[.]com

dinerpro[.]info

 

ID.me / IRS Account Phish

 

On June 4th, a Kentucky user clicked a phishing page impersonating an ID.me government login for IRS verification.

 

Similar reported phishing attacks are delivered via emails prompting users to “verify now” to avoid losing access to IRS services. The attack not only asks for ID.me credentials but also additional personal data like Social Security Number, date of birth, and even IRS specific identifiers like CAF and PTIN numbers. Had the attack been successful, the attacker could commit identity theft, file fraudulent tax returns, or use the stolen data for broader attacks involving MFA bypass.

 

Corporate Credential Phishing

 

The period also saw an uptick in targeting of corporate Microsoft credentials. On May 27th, a Texas user clicked the below Microsoft spearphish.

 

The attacker used a layered decryption chain to obfuscate the phishing content from static analysis. On June 2, another Texas user clicked the below phishing attack hosted on a domain likely generated by the same algorithm as the May 27th incident.

 

Like the May 27th incident, it used multiple layers of decryption and additionally used clipboard hijacking to make analysis harder. This was clicked by two Texas users on the same day.

 

On June 2nd, a Kentucky user clicked the below spearphish that perfectly mimicked Microsoft’s OAuth flow in the URL.

 

The HTML includes a large amount of Microsoft-branded meta data to obscure the core phishing logic. The attack was clicked by four different users on June 2nd and 3rd at multiple Kentucky organizations.

 

The same day, another three Kentucky users clicked the below spearphish that included spoofing of Microsoft’s internal telemetry reporting tool (Watson).

 

 

On June 4th, a user in Washington clicked a Microsoft spearphish that was hosted on a compromised domain that was unwittingly hosting a phishing attack, making it difficult to detect by reputational tools.

 

The full URL mimics Microsoft’s OAuth 2.0 structure. The phishing attack also utilizes device fingerprinting for future targeting.

 

Amazon and Multi-brand Phishing

 

The same period saw an uptick of Amazon phishing targeting personal user accounts on work devices that were hosted on the same mybluehost[.]me domain noted in earlier reports. Below are two examples that were clicked by users in Ohio and Kentucky.

 

The last example full URL includes the keywords like “reactivate” and “Prime” strongly suggests an Amazon Prime membership scam – likely a phony alert that a Prime account was suspended or needed updating.

 

On May 31st, a Kentucky user opened a multi-brand phishing attack via an Adobe fileshare.

 

This attack targeted numerous credential type and included a MFA phishing stage after password credentials were harvested.

 

Mitigations

 

  • Block the specified domains on corporate firewalls and endpoint security solutions.
  • Educate users about phishing risks in file sharing applications outside email like Adobe
  • Remind users of phishing risks for their personal accounts they access even if they are on corporate devices
  • Enforce multi-factor authentication (MFA) on all corporate logins to reduce the risk of credential compromise.
  • Protect your users from the next wave of zero day phishing attacks and schedule a demo.

threatresearch@pixmsecurity.com

Share This