This security threat involves a phishing campaign active since 2022, targeting primarily Italian and US users, with a focus on harvesting credentials for Microsoft services and Italy's PEC (Posta Elettronica Certificata) system. The attackers leverage cloud platforms such as Notion workspaces to host phishing pages, which are designed to mimic legitimate login portals to deceive victims into submitting their credentials. Once credentials are entered, the stolen data is exfiltrated using Telegram bots, which serve as command and control (C2) infrastructure and data relay points. The use of Telegram bots for exfiltration is notable because it allows attackers to bypass traditional network monitoring and detection mechanisms by blending malicious traffic with legitimate Telegram API communications. The campaign employs relatively simple and off-the-shelf tools, indicating either a low level of technical sophistication or a strategic focus on brokering access rather than developing complex malware. The analysis also highlights that intercepting communications between the attackers and their Telegram bots can provide valuable intelligence for profiling the threat actors, understanding their victimology, and tracking the campaign's evolution. The campaign uses a range of tactics and techniques mapped to MITRE ATT&CK IDs such as T1566 (Phishing), T1071 (Application Layer Protocol), T1059 (Command and Scripting Interpreter), T1102 (Web Service), T1041 (Exfiltration Over C2 Channel), T1573 (Encrypted Channel), T1056 (Input Capture), T1132 (Data Encoding), T1189 (Drive-by Compromise), and T1008 (Fallback Channels), illustrating a multi-faceted approach to compromise, data capture, and exfiltration. The threat does not exploit software vulnerabilities directly but relies on social engineering and cloud-based infrastructure abuse, making it highly dependent on user interaction and phishing effectiveness.

For European organizations, especially those in Italy, this campaign poses a significant risk to the confidentiality of sensitive information due to credential theft targeting Microsoft services and the PEC system, which is widely used for secure and legally binding communications in Italy. Compromise of PEC credentials can lead to unauthorized access to official communications, legal documents, and sensitive business data, potentially resulting in reputational damage, financial loss, and regulatory penalties under GDPR. The use of cloud platforms like Notion for hosting phishing pages complicates detection and takedown efforts, as these platforms are legitimate services with high availability and trust. The exfiltration via Telegram bots further obfuscates attacker activity, making incident response and forensic investigations more challenging. Additionally, the campaign's persistence since 2022 indicates ongoing risk and potential for expansion to other European countries using Microsoft services extensively. Organizations relying heavily on Microsoft 365 and similar cloud services are at risk of account compromise, which could lead to lateral movement within networks, data breaches, and potential ransomware deployment by secondary threat actors who purchase access. The campaign's relatively low technical complexity suggests it could be widely adopted by less sophisticated threat actors, increasing the volume of attacks and potential victims.

1. Implement advanced email filtering solutions that specifically target phishing attempts leveraging cloud-hosted pages, including heuristic and URL reputation analysis focused on platforms like Notion. 2. Enforce multi-factor authentication (MFA) on all Microsoft and PEC accounts to reduce the risk of credential misuse even if passwords are compromised. 3. Monitor outbound network traffic for unusual connections to Telegram API endpoints, especially from endpoints that do not typically use Telegram, to detect potential data exfiltration via Telegram bots. 4. Conduct targeted user awareness training focused on recognizing phishing attempts that use legitimate cloud services and emphasize the risks associated with PEC and Microsoft credential theft. 5. Deploy endpoint detection and response (EDR) tools capable of detecting scripting and command interpreter abuse (e.g., PowerShell, cmd) that may be used to automate credential capture or exfiltration. 6. Collaborate with cloud service providers to report and expedite takedown of malicious Notion workspaces and other cloud-hosted phishing infrastructure. 7. Utilize threat intelligence feeds that include indicators of compromise related to this campaign to proactively block known phishing URLs and Telegram bot identifiers. 8. Regularly audit and review access logs for PEC and Microsoft services to identify anomalous login patterns indicative of credential compromise.