How a Multi-Stage Phishing Campaign Evades Security to Steal Microsoft 365 Credentials

Lead Analysts: Jeewan Singh Jalal, Prabhakaran Ravichandhiran and Anand Bodke

Since November 3, 2025, KnowBe4 Threat Labs has been monitoring a highly sophisticated, multi-stage phishing operation that is actively targeting organizations to steal employees’ Microsoft 365 credentials. The campaign has been engineered to bypass traditional email security defenses, such as secure email gateways (SEGs),  and multi-factor authentication (MFA) tools.

The campaign contains multiple advanced technical measures to obfuscate the payload from traditional defenses, including “nested” PDFs that leverage legitimate content delivery network (CDN) services and mouse tracking. The end destination— a credential harvesting website—is also subject to advanced technical measures that are designed to block standard security tooling and filter out security analysts inspecting the page.  

Finally, once the target enters their Microsoft 365 credentials, the webpage leverages legitimate Microsoft servers to bypass MFA and provide cybercriminals with immediate access to the victim’s Microsoft 365 environment. 

Phishing Attack Summary

Vector and type: Email Phishing

Techniques: 

Bypassed SEG detection: Yes

Targets: Microsoft 365 users in organizations globally

Recipients receive an initial phishing email as the first step in this campaign. 

Phishing email with obfuscated payload contained within the PDF attachment, displayed in the KnowBe4 PhishER portal. 

The payload – a phishing hyperlink – is obfuscated within “nesting” PDF attachments. When a recipient opens the initial attachment on the phishing email, they will see a rendered document with a further hyperlink to click. 

The first of “nesting” PDF attachments that contain the obfuscated payload.

Once the recipient engages with this hyperlink, they will be redirected to a second document, containing another hyperlink. 

Second “nested” malicious PDF with further hyperlink to click.

This layering of PDF attachments is designed to obfuscate the final destination – a phishing webpage – from security tools that can’t make successive hops between the different hyperlinks due to technical limitation or email delivery (latency) service level agreements (SLAs). 

The malicious payload is masked further using legitimate and trusted CDN services, which appear “benign” on inspection by security tools. 

Nine Advanced Evasion Techniques Used to Improve Credential Harvesting

If a target completes all the hops through the nested PDF documents, they will be directed to a pixel-perfect rendering of a spoofed Microsoft 365 log-in page. 

Credential-harvesting webpage that perfectly impersonates a legitimate Microsoft 365 log-in page.

When analyzing the page, our researchers found that it contained nine advanced evasion techniques to further reduce the efficacy of security tooling and filter security analysts from other employees. 

1. Detection of developer tools (DevTools): The code behind the webpage is designed to continuously monitor the browser environment and terminate the session if it detects that DevTools is open, as this indicates that the page is being inspected by security analysts rather than visited by a potential target. 
2. Anti-debugger measures: Again, embedded within the code, are infinite loop debugger statements that cause the browser to freeze or crash when debugging tools are active. 
3. Window dimension monitoring: This tracks viewport size changes—a common occurrence when a security analyst opens DevTools—to trigger evasion protocols. Again, this is designed to filter out analysts from other employees.
4. Context menu blocking: The right-click menu and text selection is disabled to make it harder for analysts to inspect the code or extract URLs. 
5. Hidden honeypot form fields to filter our security software: There are hidden fields within the login form that are viewable when inspecting the webpages’ code but not to the human eye when the page is loaded normally. These are used to detect automated scanners and security bots (which will automatically complete all fields) to redirect them to benign content to mask the attack. A person, meanwhile, won’t know the fields are there (without inspecting the code) and therefore will remain on the phishing webpage. 
6. Mouse and behavioral tracking: This records mouse movement patterns, clicks and scrolling. The malicious content—the fraudulent Microsoft 365 login page—will only be displayed after confirming human-like behavior, effectively defeating headless browsers and automated sandboxes.
7. Console function override: This hijacks the browser console functions to suppress error messages and hide debugging output from security analysts.
8. Text obfuscation: Invisible HTML elements and zero-width characters are injected into the webpage to defeat pattern-matching tools without affecting the way the webpage appears to the human eye.
9. Network Monitoring: Outbound requests are tracked to identify sandbox or monitored environments, remaining dormant if security tooling is detected.

Phishing webpage code revealing evasion techniques.

Bypassing MFA In Real Time

Finally, the sting in this campaign’s tail is its ability to bypass MFA in real time. The campaign contains an active man-in-the-middle connection that leverage legitimate Microsoft servers to provide: 

• Real-time validation of the victim’s credentials
• Adaptive display, which identifies the MFA methods (such as authenticator push, TOTP codes, SMS-based OTP or voice calls) that the victim has configured and dynamically adjusts the fake page to show only those options
• Challenge relay that pushes authentic MFA prompts from Microsoft to the victim’s device through the fake page, ensuring the victim sees a real, trusted authentication challenge

Our analysts determined that the following MFA methods have been targeted: 

This transparent bypass of MFA tools grants attackers with immediate and complete access to the victim’s Microsoft 365 environment. With this access, a cybercriminal can leverage the account for activities such as business email compromise (BEC), deploying ransomware and data exfiltration. 

HTML code  showing MFA bypass technique.

Attack Chain Analysis With MITRE Tactics, Techniques and Procedures (TTPs)

How to Protect Your Organization From These Attacks

Despite the technical measures used to obfuscate this campaign from standard security tools, organizations can take several steps to help protect their employees from falling victim to these attacks. 

The first is to level up email security so the attack is detected—and neutralized—before employees can be taken victim. As demonstrated, this attack is designed to get through the detection measures used by SEGs. Consequently, organizations must layer an advanced integrated cloud email security (ICES) product, such as KnowBe4 Defend, into their tech stacks. These products take a zero-trust approach to inbound emails—regardless of factors such as whether a payload appears benign—and implement AI-powered detection mechanisms to holistically inspect all aspects of every email to provide a higher level of efficacy when detecting phishing attacks. 

Additionally, organizations can supplement this by updating email filtering rules to flag PDF attachments that contain embedded URI actions with multiple or encoded URL parameters. Other technical measures include blocking indicators of compromise (IOCs), such as implementing network blocks for the domains and URLs that have been identified as malicious. Security analysts should also audit recent MFA authentications for suspicious patterns. 

Finally, user awareness remains a crucial aspect of organizational defense. As this attack requires the target to click through multiple PDF layers until they reach the end destination, there is greater opportunity for them to realize they are interacting with unusual—likely malicious—content and report the attack before compromise occurs.

These steps will enable organizations to ensure they have robust defenses in place to prevent increasingly technical attacks that are designed to evade the standard security tooling they have come to rely on.