PHISH ALERT: Press Play for Compromise — Voicemail Phishing Kit Bundles SSO Hijacking, Credential Theft, and RMM Delivery
An advanced voicemail-themed phishing campaign is utilizing HTML attachments to hijack Microsoft 365 sessions through silent OAuth exploitation. Emails arrive spoofing legitimate businesses with fake voicemail notifications containing embedded HTML files. When victims click the play button, the kit triggers a rogue OAuth 2.0 request using the prompt=none parameter to steal authentication tokens from active M365 sessions. If no active session exists, victims are redirected to credential harvesters hosted on compromised infrastructure, specifically a Turkish domain hosting over 100 active campaign directories. The operation includes multiple attack vectors: fake login portals mimicking DocuSign, Outlook and Google, OAuth device code phishing interfaces, and RMM deployment disguised as document viewers. This represents a sophisticated Phishing-as-a-Service operation deploying concurrent attack types from consolidated infrastructure.
AI Analysis
Technical Summary
The campaign uses voicemail-themed phishing emails with embedded HTML files to exploit Microsoft 365 OAuth sessions silently. It leverages the OAuth 2.0 prompt=none parameter to steal authentication tokens from active sessions without user interaction. If no active session exists, victims are redirected to credential harvesting portals impersonating well-known services. Additional attack vectors include OAuth device code phishing and deployment of RMM tools disguised as document viewers. The infrastructure is consolidated on a compromised Turkish domain hosting over 100 active campaign directories. This represents a sophisticated phishing-as-a-service operation combining SSO hijacking, credential theft, and malware delivery.
Potential Impact
Successful exploitation can lead to unauthorized access to Microsoft 365 accounts through stolen OAuth tokens, credential theft via fake login portals, and potential remote system compromise through RMM tool deployment. This can result in data breaches, account takeover, and further lateral movement within victim environments.
Mitigation Recommendations
No official patch or fix is applicable as this is a phishing campaign exploiting user interaction and OAuth protocol behavior. Organizations should educate users to recognize voicemail-themed phishing emails and avoid interacting with suspicious attachments or links. Implementing multi-factor authentication (MFA) and monitoring for unusual OAuth token activity can help reduce risk. Review OAuth app consent policies and consider restricting third-party app permissions. Since this is not a software vulnerability, vendor patching does not apply.
Indicators of Compromise
- domain: valid.boostedengagement.de
- domain: log.evergreenhostingoptions.de
- url: http://log.evergreenhostingoptions.de/UO95w/
- domain: login.av7551.com
- url: http://login.av7551.com/common/oauth2/v2.0/authorize
- domain: login.kgbpkh6syhgxptsgwkqc93ushhphua422xb7ma.2bd.net
- domain: admhr.execsuccessmetrics.de
- url: http://admhr.execsuccessmetrics.de/HOngH/
- url: http://valid.boostedengagement.de/LFmtS/
- domain: vvu.digitaladvantagehub.de
- url: http://vvu.digitaladvantagehub.de/xiMwR
- domain: gsbauwu1hsa.legalaro.com
- url: http://gsbauwu1hsa.legalaro.com/nmasn/
- domain: accounts.tnfirm.icu
- domain: accounts.gxcwfe.icu
- domain: accounts.knuczx.icu
- domain: accounts.zachnt.icu
- domain: accounts.odtdrv.icu
- url: http://www.realdecorralejo.com/cgi-admin/signer.html
- domain: pmlee.com
- url: http://pmlee.com/verify.php
- domain: sparkaxis.org
- url: http://sparkaxis.org/deployment/
- domain: wylderhotels.sparkaxis.org
- url: http://wylderhotels.sparkaxis.org/personaljflannigan/
- domain: ewo7pdwau5.memorablemark.de
- url: http://ewo7pdwau5.memorablemark.de/l/iHZ_59v2_0U
- domain: yxmh7yx50d.easytecdigital.de
- url: http://yxmh7yx50d.easytecdigital.de/l/oMKJndXeSMA
- domain: vht0p9fsyg.balanceandperformance.de
- url: http://vht0p9fsyg.balanceandperformance.de/l/JRnOjuZa8Ts
- domain: ks39dmitgq.scalableenterprise.de
- url: http://ks39dmitgq.scalableenterprise.de/l/ycpEAGzCE80
- domain: roty0ray48.scalableenterprise.de
- url: http://roty0ray48.scalableenterprise.de/l/nqdASy8mLeo
- domain: alert.nortirock.co.uk
- url: http://alert.nortirock.co.uk/678delight/
- domain: greotipu.com.es
- url: http://greotipu.com.es/pee/livepanel
- domain: dennyslistens.autos
- url: http://dennyslistens.autos/rs3mb9p
- domain: dyjpaw1vb1.star-lakeq.com
- domain: tiltectfqhnologies.vu
- domain: sqlbatimcorporation.vu
- domain: solutionntechtheepiscopalcenterforit.snnfhawmedia.vu
- domain: globalagencerevenucanadasolutions.aquimisasnmll.vu
- domain: safemanagementatforiawdfield.vu
- domain: cloudbradshawautomotivesystems.finelinesettpmxingsinc.vu
- domain: cloudadventurecredituniongroup.globahonlcarg.vu
- domain: rijitechsolutionjtcs.vu
- domain: servicedptechnologypteltdsolutions.sudmanagementhztgroupe.vu
- domain: solutionmarsincorporatedtowersperrin.credaroii.cfd
- domain: www.realdecorralejo.com
PHISH ALERT: Press Play for Compromise — Voicemail Phishing Kit Bundles SSO Hijacking, Credential Theft, and RMM Delivery
Description
An advanced voicemail-themed phishing campaign is utilizing HTML attachments to hijack Microsoft 365 sessions through silent OAuth exploitation. Emails arrive spoofing legitimate businesses with fake voicemail notifications containing embedded HTML files. When victims click the play button, the kit triggers a rogue OAuth 2.0 request using the prompt=none parameter to steal authentication tokens from active M365 sessions. If no active session exists, victims are redirected to credential harvesters hosted on compromised infrastructure, specifically a Turkish domain hosting over 100 active campaign directories. The operation includes multiple attack vectors: fake login portals mimicking DocuSign, Outlook and Google, OAuth device code phishing interfaces, and RMM deployment disguised as document viewers. This represents a sophisticated Phishing-as-a-Service operation deploying concurrent attack types from consolidated infrastructure.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The campaign uses voicemail-themed phishing emails with embedded HTML files to exploit Microsoft 365 OAuth sessions silently. It leverages the OAuth 2.0 prompt=none parameter to steal authentication tokens from active sessions without user interaction. If no active session exists, victims are redirected to credential harvesting portals impersonating well-known services. Additional attack vectors include OAuth device code phishing and deployment of RMM tools disguised as document viewers. The infrastructure is consolidated on a compromised Turkish domain hosting over 100 active campaign directories. This represents a sophisticated phishing-as-a-service operation combining SSO hijacking, credential theft, and malware delivery.
Potential Impact
Successful exploitation can lead to unauthorized access to Microsoft 365 accounts through stolen OAuth tokens, credential theft via fake login portals, and potential remote system compromise through RMM tool deployment. This can result in data breaches, account takeover, and further lateral movement within victim environments.
Mitigation Recommendations
No official patch or fix is applicable as this is a phishing campaign exploiting user interaction and OAuth protocol behavior. Organizations should educate users to recognize voicemail-themed phishing emails and avoid interacting with suspicious attachments or links. Implementing multi-factor authentication (MFA) and monitoring for unusual OAuth token activity can help reduce risk. Review OAuth app consent policies and consider restricting third-party app permissions. Since this is not a software vulnerability, vendor patching does not apply.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://x.com/Kb4Threatlabs/status/2064374959989043207"]
- Adversary
- null
- Pulse Id
- 6a2943210c24d6920786a101
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainvalid.boostedengagement.de | — | |
domainlog.evergreenhostingoptions.de | — | |
domainlogin.av7551.com | — | |
domainlogin.kgbpkh6syhgxptsgwkqc93ushhphua422xb7ma.2bd.net | — | |
domainadmhr.execsuccessmetrics.de | — | |
domainvvu.digitaladvantagehub.de | — | |
domaingsbauwu1hsa.legalaro.com | — | |
domainaccounts.tnfirm.icu | — | |
domainaccounts.gxcwfe.icu | — | |
domainaccounts.knuczx.icu | — | |
domainaccounts.zachnt.icu | — | |
domainaccounts.odtdrv.icu | — | |
domainpmlee.com | — | |
domainsparkaxis.org | — | |
domainwylderhotels.sparkaxis.org | — | |
domainewo7pdwau5.memorablemark.de | — | |
domainyxmh7yx50d.easytecdigital.de | — | |
domainvht0p9fsyg.balanceandperformance.de | — | |
domainks39dmitgq.scalableenterprise.de | — | |
domainroty0ray48.scalableenterprise.de | — | |
domainalert.nortirock.co.uk | — | |
domaingreotipu.com.es | — | |
domaindennyslistens.autos | — | |
domaindyjpaw1vb1.star-lakeq.com | — | |
domaintiltectfqhnologies.vu | — | |
domainsqlbatimcorporation.vu | — | |
domainsolutionntechtheepiscopalcenterforit.snnfhawmedia.vu | — | |
domainglobalagencerevenucanadasolutions.aquimisasnmll.vu | — | |
domainsafemanagementatforiawdfield.vu | — | |
domaincloudbradshawautomotivesystems.finelinesettpmxingsinc.vu | — | |
domaincloudadventurecredituniongroup.globahonlcarg.vu | — | |
domainrijitechsolutionjtcs.vu | — | |
domainservicedptechnologypteltdsolutions.sudmanagementhztgroupe.vu | — | |
domainsolutionmarsincorporatedtowersperrin.credaroii.cfd | — | |
domainwww.realdecorralejo.com | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://log.evergreenhostingoptions.de/UO95w/ | — | |
urlhttp://login.av7551.com/common/oauth2/v2.0/authorize | — | |
urlhttp://admhr.execsuccessmetrics.de/HOngH/ | — | |
urlhttp://valid.boostedengagement.de/LFmtS/ | — | |
urlhttp://vvu.digitaladvantagehub.de/xiMwR | — | |
urlhttp://gsbauwu1hsa.legalaro.com/nmasn/ | — | |
urlhttp://www.realdecorralejo.com/cgi-admin/signer.html | — | |
urlhttp://pmlee.com/verify.php | — | |
urlhttp://sparkaxis.org/deployment/ | — | |
urlhttp://wylderhotels.sparkaxis.org/personaljflannigan/ | — | |
urlhttp://ewo7pdwau5.memorablemark.de/l/iHZ_59v2_0U | — | |
urlhttp://yxmh7yx50d.easytecdigital.de/l/oMKJndXeSMA | — | |
urlhttp://vht0p9fsyg.balanceandperformance.de/l/JRnOjuZa8Ts | — | |
urlhttp://ks39dmitgq.scalableenterprise.de/l/ycpEAGzCE80 | — | |
urlhttp://roty0ray48.scalableenterprise.de/l/nqdASy8mLeo | — | |
urlhttp://alert.nortirock.co.uk/678delight/ | — | |
urlhttp://greotipu.com.es/pee/livepanel | — | |
urlhttp://dennyslistens.autos/rs3mb9p | — |
Threat ID: 6a29468a8dd33fbd8531248b
Added to database: 6/10/2026, 11:12:10 AM
Last enriched: 6/10/2026, 11:25:46 AM
Last updated: 6/10/2026, 3:03:57 PM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.