216.73.217.22

PHISH ALERT: Press Play for Compromise — Voicemail Phishing Kit Bundles SSO Hijacking, Credential Theft, and RMM Delivery

· Published 10/06/2026 10:57 · Modified 10/06/2026 11:00

Export JSON

Essential information

Published
10/06/2026 10:57
Modified
10/06/2026 11:00
Tags
2026-06-10 credential harvesting microsoft 365 oauth hijacking phishing-as-a-service sso exploitation voicemail phishing
Related entities
19 observables, 20 techniques (mitre), 34 others

Description

An advanced voicemail-themed phishing campaign is utilizing HTML attachments to hijack sessions through silent OAuth exploitation. Emails arrive spoofing legitimate businesses with fake voicemail notifications containing embedded HTML files. When victims click the play button, the kit triggers a rogue OAuth 2.0 request using the prompt=none parameter to steal authentication tokens from active M365 sessions. If no active session exists, victims are redirected to credential harvesters hosted on compromised infrastructure, specifically a Turkish domain hosting over 100 active campaign directories. The operation includes multiple attack vectors: fake login portals mimicking DocuSign, Outlook and Google, OAuth device code phishing interfaces, and RMM deployment disguised as document viewers. This represents a sophisticated operation deploying concurrent attack types from consolidated infrastructure.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (19)

  • http://valid.boostedengagement.de/LFmtS/
  • http://alert.nortirock.co.uk/678delight/
  • http://wylderhotels.sparkaxis.org/personaljflannigan/
  • http://vvu.digitaladvantagehub.de/xiMwR
  • http://dennyslistens.autos/rs3mb9p
  • http://admhr.execsuccessmetrics.de/HOngH/
  • http://gsbauwu1hsa.legalaro.com/nmasn/
  • http://log.evergreenhostingoptions.de/UO95w/
  • http://pmlee.com/verify.php
  • http://www.realdecorralejo.com/cgi-admin/signer.html
  • http://login.av7551.com/common/oauth2/v2.0/authorize
  • http://vht0p9fsyg.balanceandperformance.de/l/JRnOjuZa8Ts
  • http://yxmh7yx50d.easytecdigital.de/l/oMKJndXeSMA
  • http://ewo7pdwau5.memorablemark.de/l/iHZ_59v2_0U
  • http://sparkaxis.org/deployment/
  • http://roty0ray48.scalableenterprise.de/l/nqdASy8mLeo
  • http://ks39dmitgq.scalableenterprise.de/l/ycpEAGzCE80
  • www.realdecorralejo.com
  • http://greotipu.com.es/pee/livepanel

Techniques (MITRE) (20)

Others (34)

  • accounts.gxcwfe.icu
  • valid.boostedengagement.de
  • accounts.tnfirm.icu
  • cloudbradshawautomotivesystems.finelinesettpmxingsinc.vu
  • vht0p9fsyg.balanceandperformance.de
  • solutionmarsincorporatedtowersperrin.credaroii.cfd
  • rijitechsolutionjtcs.vu
  • dennyslistens.autos
  • accounts.zachnt.icu
  • greotipu.com.es
  • sqlbatimcorporation.vu
  • accounts.knuczx.icu
  • login.av7551.com
  • vvu.digitaladvantagehub.de
  • accounts.odtdrv.icu
  • roty0ray48.scalableenterprise.de
  • admhr.execsuccessmetrics.de
  • alert.nortirock.co.uk
  • safemanagementatforiawdfield.vu
  • cloudadventurecredituniongroup.globahonlcarg.vu
  • ks39dmitgq.scalableenterprise.de
  • dyjpaw1vb1.star-lakeq.com
  • wylderhotels.sparkaxis.org
  • sparkaxis.org
  • tiltectfqhnologies.vu
  • solutionntechtheepiscopalcenterforit.snnfhawmedia.vu
  • log.evergreenhostingoptions.de
  • pmlee.com
  • gsbauwu1hsa.legalaro.com
  • ewo7pdwau5.memorablemark.de
  • globalagencerevenucanadasolutions.aquimisasnmll.vu
  • servicedptechnologypteltdsolutions.sudmanagementhztgroupe.vu
  • login.kgbpkh6syhgxptsgwkqc93ushhphua422xb7ma.2bd.net
  • yxmh7yx50d.easytecdigital.de

External references