AITM phishing with Russian infrastructure and detection evasion from a lapsed domain

Sublime's Attack Spotlight series highlights a sophisticated phishing campaign targeting Microsoft 365 users through a fake Microsoft Teams meeting invitation. The attack begins with a seemingly legitimate invitation email that redirects users to a phishing site instead of a Teams meeting. This campaign uses a complex infrastructure involving expired, repurposed domains, and obfuscation techniques to evade detection. It leverages a known domain, dilloncriminallaw.com, with previous legitimacy and a sophisticated multi-stage credential harvesting process. The phishing link includes a "gate" page that performs bot detection and browser fingerprinting to bypass security tools. If a user passes the checks, they are led through a series of obfuscated JavaScript stages designed to collect user credentials. The campaign uses various techniques to ensure its effectiveness, such as domain blocking, IP checks, and email encoding, while also employing advanced methods to avoid automated detection. Sublime's AI-powered detection engine, ASA, successfully flagged this attack using signals like sender domain mismatch and suspicious sender behavior, illustrating the importance of advanced detection tools in combating phishing threats.