Unit 42 researchers observed large-scale phishing campaigns in 2024 using a refresh entry in the HTTP response header. This technique, unlike traditional HTML-based phishing, occurs before HTML content processing and automatically refreshes webpages without user interaction. Attackers distribute malicious URLs via emails, targeting global financial sector, internet portals, and government domains. The attacks use personalized approaches, embedding recipients' email addresses and displaying spoofed webmail login pages. From May to July, around 2,000 malicious URLs were detected daily. The campaigns predominantly targeted the business-and-economy sector, financial services, and government institutions. This sophisticated method makes it difficult to identify malicious indicators within URL strings and increases the likelihood of successful credential theft.