THIS report details a sophisticated Adversary-in-the-Middle (AiTM) credential-harvesting kit specifically targeting Microsoft 365 and Entra ID identities. The attack involves a three-to-five stage funnel process, beginning with a CAPTCHA gate to filter automated analysis tools, followed by a corporate email harvesting stage designed to build trust by displaying the victim's employer's logo.
The final step is a pixel-perfect clone of the Microsoft sign-in page, capturing credentials, Multi-Factor Authentication (MFA) codes, and session cookies. Evidence shows that major corporations have been targeted, with the kit operational since at least December 2025. The report identifies effective countermeasures, such as origin-bound authenticators, and lists various domains associated with the phishing campaign.