Cybersecurity researchers have uncovered an ongoing phishing campaign that uses fake Microsoft OneNote login pages to steal Office365 and Outlook credentials. The attackers primarily target users in Italy and the United States, using trusted platforms and Telegram bots to carry out the attack and exfiltrate stolen data.
How the Attack Works
The phishing campaign begins with emails that appear to come from Microsoft, using subject lines like “New Document Shared with you.” These emails redirect victims to fraudulent OneNote login pages hosted on platforms like Notion, Glitch, Google Docs, and RenderForest.
These fake login pages offer multiple authentication options, including Office365, Outlook, Aruba Mail, PEC (Italy’s certified email system), and others—making the attack more believable to victims.
Targeting Italian Users
According to a report by ANY.RUN, the phishing emails and domains often use Italian language and naming conventions. The campaign has been active since at least January 2022, showing long-term planning and persistence.
Credential Theft via Telegram Bots
The phishing pages use JavaScript to collect login credentials and capture victims’ IP addresses using the ipify.org service. The stolen data is then sent to the attackers through Telegram bots using hardcoded bot tokens and chat IDs.
Telegram bots used in the campaign include:
- @Sultannanewbot
- @remaxx24bot
- @Resultantnewbot
After credentials are stolen, the phishing site redirects users to the real Microsoft OneNote login page to avoid suspicion.
Evolving Techniques
The campaign has evolved technically over time. Early attacks used basic web forms and simple URL encoding. In February 2022, the attackers began using Telegram bots for data exfiltration, along with complex URL encoding techniques.
Between July and December 2024, they experimented with Base64 encoding but later dropped it. The attackers seem to focus more on access brokering than advanced malware development, possibly due to limited technical skill or strategic intent.
Security Recommendations
Experts advise organizations to monitor for suspicious network activity, especially connections to api.telegram.org using known bot tokens. Security teams should look for patterns in domain activity, particularly involving Notion and Glitch followed by Telegram API calls.
Organizations are also urged to create detection rules for unauthorized Telegram bot communication and pay special attention to attempts targeting Italy’s PEC system, as this may signal broader goals such as business email compromise or access brokering.
