Our threat research team recently observed a phishing incident that involved leveraging legitimate infrastructure, precision email validation, and evasive delivery techniques. This attack illustrates the abuse of trusted domains, the practice of server-side phishing email validation, and the critical need for browser-based, zero-day phishing protection.

What Happened?

In the live environment, Keep Aware was configured in silent mode to capture all user behavior and threat indicators without interrupting the session. This gave the security team full visibility into every stage of the phishing attempt as it unfolded, enabling a clear assessment of attack vectors, user actions, and detection fidelity.

Identifying Credential Theft 

During a review of managed detections, the research team observed authentication-related phishing signals triggering in silent mode. This indicated that an employee had entered credentials on a suspicious webpage. Because the browser was configured for visibility-only operation, the security team was able to observe the full detailed sequence of the attempted credential theft seeing these unique attacker tactics.

Using the investigation generated by Keep Aware’s browser security extension, the team was able to evaluate the chained phishing attack quickly, confirm the credential input, and immediately follow remediation steps, including resetting the user’s password and reviewing any anomalous account or login activity.

‍

‍

By enabling Keep Aware default protections, this type of interaction is blocked entirely. And while the phishing email itself wasn’t directly observed, the telemetry revealed a key insight: there was no browser activity immediately preceding the visit to the phishing pages. This indicates the user clicked on a link from outside the browser environment, likely from an email application, such as Outlook. 

This is a common encounter: even when phishing begins in the inbox or a messaging platform, the attack itself almost always plays out in the browser. Today, the browser is where trust is easily abused, evasive scripts are readily executed, and credentials are ultimately harvested.

In this case, the employee had clicked on a link to a legitimate website hosting a malicious page.

‍

Attack Overview

1) Hosting on a Legitimate Domain

The targeted employee visited a legitimate, 9-year-old domain with a clean reputation and a strong internet presence for selling tents. However, this “trusted" domain had been compromised to host a malicious form page on the file path /memo/home.html. 

Upon visiting the link, the user was presented with a message claiming a “Confidential Document” had been shared with them, urging them to input their email in order to download the payment PDF. These are social engineering prompts we see frequently—phrases designed to get the user to click links and provide credentials in order to gain access to a supposed business document.

‍

‍

Basic Evasion: Anti-Analysis JavaScript

This malicious page included basic anti-analysis protections. It disables right-click context menus and blocks common keyboard shortcuts that security analysts or curious internet users might use to inspect or save the page.

‍

‍

These simple techniques are widely used to obstruct analysis efforts from viewing the page’s code or background behaviors.

‍

Form Handling Code

In addition to anti-analysis mechanisms, this phishing infrastructure includes logic to dynamically handle email input depending on how the victim arrives at the page.

‍

Pre-Populates with the Victim’s Email

If the phishing link contains the victim’s email address in the anchor portion of the URL (after the “#” sign), then the JavaScript code will automatically extract and insert that email into the form. This reduces a step for the victim, removes friction from the process, and can increase believability and the success rate.

‍

‍

This pre-population technique implies the phishing emails include target-specific links, such as: 

‍compromised.domain.com/file/path?#victim_email@example.com

‍

Similar techniques have been seen before, like in a recent write-up, where a malicious SVG attached in a phishing email used JavaScript to append the victim’s email to a malicious URL and redirect the browser.

Target-specific links that pre-populate fake login forms serve two purposes:

• To track which users click on phishing links;
• To streamline the phishing process.

‍

Email Submission Logic

If an email address is not present in the URL’s anchor, then the form waits for the victim to manually input their email and submit.

‍

Upon form submission, two things happen:

‍

1. Redirection to malicious site: The page redirects the user’s tab to another URL, a malicious .workers.dev subdomain with the email in the query parameter (?ref=<email>).

‍

2. Email submitted to API endpoint: Simultaneously, the user’s email and timestamp were sent to an API endpoint.

‍

This submission mechanism signals a more advanced phishing infrastructure, one capable of validating victims in real-time and tailoring what they saw next.

‍

2) “One more step before you proceed”: CAPTCHA Use

After submitting an email and before proceeding to the final phishing page, the user was directed to another malicious site and challenged with a Cloudflare CAPTCHA. 

‍

‍

This tactic isn’t unusual. Real CAPTCHAs (not just fake ones) are heavily used by phishing actors to:

‍

• Prevent bots and automated scanners from analyzing the final phishing page
• Avoid detection by traditional URL scanning engines
• Lend credibility to the process

‍

CAPTCHAs can help attackers evade tools and keep the deception going for longer.

‍

3) Customized Phishing Page, Validated by Email

After passing the CAPTCHA, the phishing page sometimes transitioned into a fake Microsoft login form. But not always.

‍

What triggers the phishing payload depends on what email a user entered.

‍

Personal email (e.g., @gmail.com): The page returns a blank screen.

Corporate email (valid business email, but likely not on the attacker’s list): The page returns a basic Microsoft login page, with no customization.

Targeted email address (valid business email and on the attacker’s list): The phishing page revealed a fake Microsoft login page customized with the victim’s company logo, a branded background, and a reference to the organization’s helpdesk initials.

‍

‍

This behavior suggests that the attacker’s backend performs server-side email validation. Based on whether the email is included in a targeted list or is deemed a personal email, the phishing infrastructure selectively delivers a payload.

‍

Precision-Validated Phishing, Server-Side

This technique, in which an attacker validates an email address in real-time to ensure only the intended targets or targets of higher value receive the final phishing page, is referred to as “Precision-Validated Phishing”. 

‍

The email validation technique is executed through either client-side code or API calls. In this case, the email validation appears to happen server-side, not client-side via JavaScript. The provided email is sent to a backend API, which determines what happens next, making the phishing logic even harder to detect through static or client-side inspection alone.

‍

Beating Precision Phishing with Real-Time, Zero-Day Detection

Despite the sophistication and server-side logic, the endgame remains simple: to steal credentials. Regardless of how the email validation occurs, the target user will always end up on a malicious page designed to steal credentials. If your security stack can block phishing pages, whether zero day or not, precision validated or not, and before a user enters their password, the attacker walks away empty handed.

‍

To defend against this type of advanced, targeted phishing:

‍

• Ensure your security stack can detect and block phishing pages even on trusted domains
• Invest in tools that recognize the impersonation of legitimate business platforms your organization uses (e.g., Microsoft 365, Okta, Google Workspace)
• Ensure your employees have real-time, browser-level protection, not just email filtering

Keeping Up With Ever-Evolving Attacks

Phishing continues to evolve—leveraging legitimate infrastructure, precision email validation, and evasive delivery techniques. But while techniques seem to grow more sophisticated, the solution remains clear: real-time, in-browser protection is critical. Preventing users from ever interacting with deceptive login pages is the surest way to stop phishing in its tracks, regardless of any fancy validation logic.

‍