Do Son 
A phishing campaign targeting users in Italy and the United States has drawn the attention of cybersecurity researchers due to its remarkable sophistication and resilience. Uncovered by experts at ANY.RUN, the attack disguises itself with a familiar Microsoft OneNote interface and seeks to harvest credentials for Office 365, Outlook, Rackspace, Aruba Mail, and even PEC — Italy’s official certified email system. The entire scheme unfolds under the guise of a completely legitimate document exchange, making detection by traditional security solutions exceptionally difficult.
The attackers initiate the campaign via phishing emails bearing subject lines such as “New Document Shared with you.” These messages contain links purportedly leading to official OneNote documents but, in reality, redirect victims to counterfeit login pages. To enhance credibility, these fake pages are hosted on well-regarded platforms such as Notion, Glitch, Google Docs, and RenderForest. The illusion of authenticity is further reinforced by the presence of multiple login options — ranging from the ubiquitous Office 365 to lesser-known service providers.
Researchers emphasize that the campaign primarily targets Italian users, as evidenced by Italian-language interfaces and the use of Italian words within subdomains. Data suggests the operation has been active since January 2022 and has continuously evolved over time.
At the core of the attack lies an intricate JavaScript payload embedded within the fraudulent login pages. This script captures login credentials, passwords, and the IP addresses of victims. For the latter, it leverages ipify.org — a public API that precisely records a device’s network parameters. Once collected, the data is automatically exfiltrated via Telegram bots, with the script hardcoded to include tokens and chat IDs for communication through the Telegram API. Various bot configurations have been observed, including “Sultanna,” “remaxx24,” and “Resultant.”
Following the theft of credentials, the user is redirected to the actual Microsoft OneNote login page, preserving the illusion that nothing suspicious has occurred. This tactic maintains user trust and delays their reaction, increasing the attack’s effectiveness.
The phishers’ technical toolkit continues to evolve. Initially, they employed basic URL obfuscation and simple web forms. However, by February 2022, Telegram had become the principal exfiltration channel, with layered URL encoding ranging from two to four levels deep.
In 2024, the attackers experimented with Base64 encoding but later abandoned it for unclear reasons. Interestingly, despite the attack’s complexity, the threat actors refrain from employing advanced obfuscation techniques, possibly indicating limited resources or a strategic focus on monetizing stolen access rather than advancing malware development.
To counter such attacks, experts recommend closely monitoring network activity involving the Telegram API, particularly in light of known tokens and the recurring infrastructure connections between Notion, Glitch, and Telegram. Additionally, implementing signature-based detection for Telegram bot behavior within enterprise environments is advised.
Of particular concern is the involvement of PEC addresses — Italy’s certified email platform — which suggests that the attackers’ objectives may extend well beyond simple credential theft, potentially encompassing the compromise of business communications and the sale of access within the darker corridors of the cyber underworld.
Donate