In a sophisticated supply chain phishing attack, threat actors hijacked an ongoing email thread among C-suite executives discussing a document awaiting final approval.
The intruder, posing as a legitimate participant, replied directly with a phishing link mimicking a Microsoft authentication form. Researchers attribute this to a compromised sales manager account at an enterprise contractor, allowing seamless insertion into a trusted business conversation.
This incident underscores a rising tactic: adversaries exploiting real enterprise communications rather than crafting cold phishing lures. By early January 2026, analysis revealed ties to a broader campaign active since December 2025, primarily targeting Middle Eastern firms.
Tested samples in the ANYRUN Sandbox exposed the EvilProxy phishkit, a proxy-aware phishing tool that evades traditional session-based detection, while TI lookups confirmed overlapping infrastructure.
Equip your SOC with early phishing detection, Bring MTTD to 15 seconds with ANY.RUN Integrate now
Attack Mechanics and Execution Chain
The attack unfolds through layered social engineering. It begins with a supply chain attack (SCA) phishing email sent to the contractor. This triggers seven forwarded messages, building plausibility as the payload ripples through internal channels.
.webp "Threat Actors Leverage Real Enterprise Email Threads to Deliver Phishing Links 4")
The final reply embeds a phishing link leading to:
- An antibot landing page protected by Cloudflare Turnstile CAPTCHA.
- A phishing page with another Turnstile layer for human verification.
- EvilProxy deployment, capturing credentials via man-in-the-middle proxying.
This chain mimics legitimate Microsoft 365 flows, using dynamic HTML/PDF attachments with embedded scripts. No zero-days or exploits were needed; success hinged on business trust and conversation hijacking. Infrastructure rivals phishing-as-a-service (PhaaS) platforms in scale, with rented domains and bot mitigation to filter analysts.
ANYRUN Sandbox detonation visualized the full chain: network callbacks to C2 servers, credential exfiltration, and session token theft—all in under 60 seconds.
Indicators pivoted to dozens of victims, with a Middle East focus likely tied to regional finance and energy sectors. EvilProxy’s resurgence, post its 2023 debut, highlights PhaaS evolution: modular kits now integrate Turnstile and geo-fencing, complicating takedowns.
Unlike technical vulnerabilities, these attacks weaponize human workflows. Compromised contractor accounts grant “perfect-looking” emails, bypassing DMARC and filters. Enterprises face elevated risk as remote work normalizes async approvals.
Mitigation Strategies and IOCs
Defend with process hardening:
- Flag HTML/PDFs with dynamic content; sandbox suspicious files pre-interaction.
- Enforce four-eyes principle: separate initiation from approval.
- Train via realistic SCA simulations mimicking hijacked threads.
ANYRUN equips SOCs with behavioral reports, slashing MTTD/MTTR.
Key IOCs:
| Category | Indicators |
|---|---|
| URI Pattern | POST ^(/bot/ |
| Domains | himsanam[.]com bctcontractors[.]com studiofitout[.]ro st-fest[.]org komarautikat[.]hu eks-esch[.]de avtoritet-car[.]com karaiskou[.]edu[.]gr |
| Domain Pattern | ^loginmicrosoft* |
Give your team faster threat validation
Detect hidden phishing flows instantlly Contact ANY.RUN team
