Phishing campaigns abuse trusted platforms and authentication flows to evade detection and steal credentials
Multiple active phishing operations are leveraging trusted services and by-design web/authentication features to bypass security controls and harvest credentials and MFA data. GTFire is a large-scale credential-harvesting campaign that hides behind legitimate Google-owned domains by abusing Firebase and Google Translate to make phishing links appear trustworthy to email filters and web gateways; victims are sent to brand-impersonation login pages and then redirected to the real site after submitting credentials. Separately, Microsoft reported phishing that abuses OAuth redirection behavior in identity providers (including Microsoft Entra ID and Google Workspace) by registering malicious OAuth apps with attacker-controlled redirect URIs and using silent auth flows/invalid scopes to bounce users to attacker infrastructure; Microsoft disabled the identified malicious Entra OAuth applications but noted related activity continues and requires monitoring.
A distinct but thematically similar campaign uses a fake Google Account security site to trick users into installing a malicious Progressive Web App (PWA) that can steal one-time passcodes (via WebOTP where supported), harvest data (e.g., clipboard contents), and even turn the victim’s browser into an attacker-controlled proxy with internal port-scanning capability; Malwarebytes-linked reporting highlighted the lure domain google-prism[.]com and the use of permission prompts (notifications/clipboard) to enable ongoing abuse. Other items in the set cover unrelated threats (Android malware using generative AI for persistence, an Iraq-focused APT toolchain, a separate AiTM phishing-kit attribution case study, and research on a cybercrime infrastructure provider), and do not describe the same specific phishing operations described above.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Group-IB exposed GTFire phishing infrastructure and stolen credentials
Group-IB reported that exposure of attacker-controlled GTFire command-and-control servers revealed thousands of stolen credentials linked to more than 1,000 organizations across over 100 countries and 200-plus industries, with Mexico the most affected. The campaign abused Google Translate and Google Firebase domains to host and relay credential-harvesting pages while rotating infrastructure to evade detection.
Campaign expanded with Android app posing as Google security update
Researchers found that some victims were also offered a companion Android APK disguised as a Google-verified critical security update. The app requested extensive permissions and included capabilities for keystroke capture, notification interception, credential theft, persistence, and possible overlay attacks.
Researchers documented fake Google security PWA phishing campaign
Malwarebytes reported a phishing campaign using a fake Google Account security page on google-prism[.]com to trick users into installing a malicious Progressive Web App. The PWA was designed to steal one-time passcodes, collect sensitive data, harvest cryptocurrency wallet addresses, and proxy attacker traffic through victims' browsers.
Microsoft disabled malicious OAuth applications tied to the campaigns
During its investigation, Microsoft Entra disabled the malicious OAuth applications observed in the redirect-abuse campaigns. Microsoft said related activity was still continuing and required ongoing monitoring.
Microsoft observed OAuth redirect abuse in phishing and malware campaigns
Microsoft reported campaigns targeting government and public-sector organizations that abused standards-compliant OAuth redirection behavior to send victims from trusted identity provider domains to attacker-controlled phishing and malware infrastructure. The activity used silent OAuth flows and invalid scopes to trigger redirects without stealing OAuth tokens directly.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Fake Google Security page used in PWA phishing campaign | brief | SC Media
scworld.com
Open sourceGTFire Phishing Scheme Abuses Google Services to Evade Detection and Steal Credentials
cybersecuritynews.com
Open sourceOAuth redirection abuse enables phishing and malware delivery | Microsoft Security Blog
microsoft.com
Open sourceFake Google Security site uses PWA app to steal credentials, MFA codes
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaigns Abuse Trusted Platforms and Collaboration Tools to Steal Credentials
Multiple reports describe a broader **credential-theft trend** in which attackers abuse trusted services and familiar business workflows to make phishing more convincing and harder to detect. One campaign used **compromised WordPress sites** and redirects through `skimresources[.]com` to deliver pixel-perfect fake login pages for **Microsoft Teams**, **Xfinity**, and **UAE Pass**, with lures such as missed voicemail and shared-document alerts. Another campaign abused **LiveChat**'s `lc[.]chat` infrastructure to impersonate brands like **PayPal** and **Amazon**, moving victims into fake support conversations designed to extract sensitive information under the guise of refunds or order issues. A separate industry report reinforces the same operational pattern: attackers increasingly rely on **valid credentials** and trusted collaboration tools rather than software exploits, with cloud identity compromise driving most investigated incidents and some intrusions using **Microsoft Teams voice phishing** and **Quick Assist** to gain access, move laterally, and deploy ransomware. Other references in the set cover different stories entirely, including the **CamelClone** espionage operation, a **FancyBear/APT28** infrastructure exposure, and a general weekly security recap, and do not describe the same phishing activity. This is **not fluff** because the relevant items contain substantive threat intelligence on active attack methods, delivery infrastructure, and attacker tradecraft.
Mar 21, 2026
Threat Actors Abuse Trusted Cloud and Ad Platforms for Multi-Stage Phishing and Scam Delivery
Threat actors are increasingly using **trusted platforms**—including cloud hosting and major ad networks—to deliver multi-stage phishing and scam campaigns that evade traditional URL and domain reputation controls. Recent activity includes a **three-step malvertising chain** delivered via **Facebook paid ads** that redirects victims through a decoy site (e.g., a fake Italian restaurant page) before landing on a **tech support scam (TSS) kit** hosted on **Microsoft Azure** infrastructure (including `web.core.windows.net`). Researchers reported rapid infrastructure churn, with **100+ domains rotated in seven days**, and targeting focused on **U.S. users** with activity concentrated on weekdays. Parallel enterprise-focused campaigns are hosting phishing infrastructure on **Microsoft Azure Blob Storage**, **Google Firebase**, and **AWS CloudFront**, using **redirect chains, CAPTCHA gates, and QR codes** to bypass automated analysis and email defenses. Analysis highlighted the use of **Adversary-in-the-Middle (AiTM)** phishing-as-a-service kits—**Tycoon2FA**, **Sneaky2FA**, and **EvilProxy**—to steal credentials and **session tokens** even when MFA is enabled. Separately, researchers documented a “clean email” approach to steal **Dropbox** credentials: benign-looking procurement-themed emails deliver **PDF attachments** that hide clickable elements (e.g., via *AcroForms* and `FlateDecode`), which then route victims to a second-stage file hosted on **Vercel Blob** and ultimately to a fake Dropbox login page that captures credentials and collects victim telemetry (IP address, location, and device details).
Mar 21, 2026
GTFire Phishing Scheme Uses Google Services to Evade Detection
Group-IB reported on a phishing operation tracked as **GTFire** that abuses trusted Google services to reduce suspicion and bypass security controls. The campaign uses legitimate Google infrastructure as part of its delivery or redirection chain, allowing phishing content and lures to blend in with normal enterprise traffic and making detection more difficult for defenders. The activity highlights a broader attacker tactic of hiding malicious workflows behind reputable cloud platforms that users and security tools often implicitly trust. For CISOs and security teams, the incident underscores the need to inspect links and redirects involving trusted SaaS domains, strengthen phishing-resistant authentication, and tune email and web defenses to detect abuse of legitimate services rather than relying solely on domain reputation.
May 27, 2026