The Browser Under Siege: Q1 2026 Phishing Report

Across Q1 2026, PIXM detected and analyzed over 75 distinct phishing campaigns. What stands out is not the volume — it is how rapidly the campaigns matured across the quarter. January’s attacks relied on credential harvesting forms and consumer brand impersonation. By March, the same threat surface featured 100+ phishing pages hosted on Microsoft’s own Azure infrastructure, comprehensive MFA bypass against authenticator apps and FIDO tokens, and fully functional proxy-based site clones.

The data underlying this report comes from PIXM’s visibility into K–12 and higher education networks, but the techniques are not sector-specific. They are arriving at every enterprise next.

100+ Phishing Pages on Microsoft’s Own Azure Infrastructure

By late Q1, PIXM was tracking over 100 unique Azure Blob Storage subdomain variants under z13.web.core.windows.net, all hosting phishing content. These pages carried the domain reputation of Microsoft itself. Email gateways, web proxies, and endpoint protection tools that rely on domain reputation did not flag them.

The pages primarily served tech support scams — fabricated system errors (“Memory access violation,” “Password required for System32”) with prominent phone numbers directing victims to call scammers posing as Microsoft Support. Disabled input fields and non-functional buttons were deliberately implemented to frustrate self-service attempts and force phone calls. Tawk.to chat widgets fabricated real-time security alerts.

The volume — 100+ variants following predictable naming patterns — suggests automated generation rather than manual effort.

Azure-hosted tech support scam with multiple overlapping error popups designed to create urgency.

Azure was not the only platform abused. Across the quarter, PIXM documented phishing content hosted on Cloudflare CDN and Workers, Cloudflare R2, Backblaze B2, IPFS (decentralized hosting via dweb.link), Supabase, Linode Object Storage, compromised Pantheon-hosted WordPress sites, BunnyCDN, MyBrightSites, and Tawk.to. For defenders, the practical takeaway is direct: domain-reputation-based blocking alone did not catch these campaigns. Any platform that allows user-generated content or static file hosting was used.

MFA Bypass: A Quarter of Rapid Evolution

In January, MFA bypass was limited — campaigns collected SMS codes through basic secondary forms. By February, PIXM observed WebSocket-based real-time exfiltration via Socket.io, AES-encrypted phishing kit configurations, and authenticator app token collection. By March, kits were harvesting push notification approvals and FIDO challenge tokens through multi-step authentication simulations virtually indistinguishable from legitimate Microsoft login flows.

The most sophisticated campaigns followed a consistent multi-stage pattern: pre-populated email parameter in the URL → email submission → password entry → deliberate “Incorrect password” error → password re-entry → realistic MFA token prompt → exfiltration via WebSocket or fetch(). The deliberate password error on first entry is a design choice, not a bug. It doubles the probability of capturing a valid password, since victims typically re-type more carefully on the second attempt.

Advanced multi-stage Microsoft 365 authentication flow with MFA token collection.

One notable campaign perfectly replicated the Microsoft login interface using legitimate Microsoft CDN references (aadcdn.msftauth.net), OAuth-like parameter structures, and complete authentication flow mimicry including nonces and session management. Without inspecting the URL, the page was virtually indistinguishable from the real Microsoft login portal.

The practical implication: SMS, authenticator-app, and push-based MFA were all bypassed by kits documented this quarter. Phishing-resistant MFA — hardware keys, passkeys — is the only category that held up.

Proxy-Based Site Cloning: Real Sites, Stolen Credentials

Most phishing pages are static replicas of a login form. Proxy-based cloning is different — it creates a fully functional mirror of the target site by intercepting and rewriting traffic in real time. The user sees and interacts with the real site; their credentials flow through the attacker.

This technique appeared throughout Q1, becoming more polished with each iteration:

• January (early Q1): An Ultraviolet proxy service on cookieduck.com proxied Microsoft authentication, maintaining full MFA functionality including FIDO2/WebAuthn capabilities. URLs were rewritten with __uv-attr prefixes.
• January (mid Q1): A proxy service at mochiss.xyz created a functional Netflix clone, used as a consumer-brand lure.
• March (late Q1): A fully functional Roblox mirror hosted on BunnyCDN (classroomweb67123.b-cdn.net). All legitimate Roblox URLs were systematically rewritten through encoded paths, preserving authentic metadata and functionality while funneling credentials through attacker-controlled endpoints.

Ultraviolet proxy-based Roblox clone — a fully functional mirror with credentials routed through attacker infrastructure.

Proxy cloning is particularly notable because it defeats the most common advice given to users: “check whether the page looks real.” The page is real — it is the actual target site, proxied. PIXM observed three distinct proxy-based implementations across the quarter, each more refined than the last — consistent with this technique becoming established rather than experimental.

Sector-Specific Tailoring

Beyond the universal techniques above, PIXM observed clear evidence of attackers customizing campaigns by vertical — a pattern security teams in any industry should expect to see directed at their own ecosystem.

• Industry-specific platforms: Campaigns impersonated Canvas LMS, a learning management system used predominantly by educational institutions. This is not a consumer brand — its targeting indicates attacker awareness of vertical-specific software stacks. Equivalent campaigns will target your sector’s equivalent platforms.
• Internal-tool integration: One campaign integrated GoGuardian (a K–12 classroom management tool) monitoring scripts directly into its phishing kit, suggesting either pre-deployment testing against the tool or attempts to appear legitimate within environments where it’s expected.
• Spear-phishing of named organizations: Multiple campaigns included pre-populated email addresses in URL parameters. One January campaign’s URL structure suggested specific targeting of a named school district — a level of effort beyond generic mass-phishing.
• Audience-specific lures: Roblox, Netflix, and gaming-adjacent brands appeared throughout the quarter, alongside business brands like Adobe, GoDaddy, American Express, DHL, and Greenvelope/Paperless Post. Attackers segmented campaigns to match the consumption habits of their target audiences.

IPFS-hosted phishing page with Microsoft branding — decentralized and resistant to takedown.

Sample Indicators of Compromise

A representative sample from the full IOC list (130+ entries are catalogued in the full report):

• f005.backblazeb2[.]com/file/seeeendeeed/onedr-updated.html
• storage.cookieduck[.]com — Ultraviolet proxy (Microsoft auth)
• mochiss[.]xyz — Netflix proxy clone
• classroomweb67123.b-cdn[.]net — Roblox proxy clone (BunnyCDN)
• dhlpromogear.mybrightsites[.]com, dhlrewards[.]net — DHL impersonation
• ameuricanrpures[.]com, ameuricanepruexs[.]com — American Express impersonation
• pub-e5c88bbeb095409ba7c6fd53eaf14362.r2[.]dev — Cloudflare R2 abuse
• z13.web.core.windows[.]net (100+ subdomain variants) — Azure-hosted tech support scams

Threat actors made heavy use of recently-registered domains with disposable TLDs: .cfd, .click, .sbs, .pw, .pics, .life, .im, .de, .es. Domains with extremely long randomized character strings were used to evade pattern-matching filters.

Mitigations

• Prioritize phishing-resistant MFA (hardware keys, passkeys) for administrative and high-privilege accounts. SMS, authenticator-app, and push-based MFA can all be bypassed by the kits documented this quarter.
• Do not rely on domain reputation alone. Block external emails containing web.core.windows.net links paired with tech support keywords. Flag connections to file-sharing platforms (IPFS, Backblaze B2, Cloudflare R2) from unknown sources.
• Filter suspicious TLDs (.cfd, .click, .sbs, .pw, .pics) at the network perimeter. Flag newly registered domains with randomized character strings or IP-based subdomains.
• Deploy browser security that analyzes page behavior, not just the domain serving it — the infrastructure abuse documented here renders reputation-only approaches insufficient.
• Train end users on the right scenarios. Update awareness programs to cover MFA phishing (fake OTP prompts, push notification capture), tech support scams hosted on legitimate cloud infrastructure, and proxy-cloned sites where “the page looks real” advice no longer applies.

Closing

The progression PIXM observed across Q1 — from SMS code collection in January to FIDO challenge token harvesting in March, from a few infrastructure platforms abused to over a dozen, from static phishing forms to fully proxied site clones — suggests defensive approaches based on static threat assumptions will struggle to keep pace. Layered defenses combining behavioral analysis, phishing-resistant authentication, network controls, and targeted training are well-suited to the range of techniques documented this quarter.

PIXM’s browser extension uses computer vision to detect phishing pages at the point of click based on what they look like and how they behave — independent of domain reputation. If you are interested in seeing how PIXM can help prevent attacks like these for your organization, book a demo here.

For threat intelligence inquiries or to request the full Q1 2026 report (including all 39 campaign screenshots and 130+ IOCs), contact threatresearch@pixmsecurity.com.