A Spanish-speaking phishing operation targeting Microsoft Outlook users has been active since March 2025, using a sophisticated kit that shows clear indicators of AI-assisted development. <\/p>\n
The campaign, tracked through a unique signature of four mushroom emojis embedded in the string \u201cOUTL,\u201d has been observed in over 75 distinct deployments. <\/p>\n
The operation captures email credentials along with victim IP addresses and geolocation data, exfiltrating stolen information through Telegram bots and Discord webhooks.<\/p>\n
The phishing kit mimics Microsoft\u2019s Outlook login interface with Spanish language prompts, presenting victims with a convincing authentication page. <\/p>\n
![\"Fake](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhjghRphsBWbV4yVyDU_VdHDX5sg14CSMe8HVN2qS1SAIDFGBtiRtusIq73d0QeN7tKqIx6969_wTdDR83RmAVBOXq8WkzNAQaL7BoCN7kKdDpl_R-GajaX5GXCNu1fnSje8Gv5aX8GL3s16YehExt2o8z1shormj2mrQbt9xA0yZfl5mZhKND_xxNOl4s\/s16000\/Fake%2520login%2520page%2520%28Source%2520-%2520The%2520Sage%2520Hollow%29.webp?ssl=1\")
Once users enter their credentials, the kit immediately enriches the stolen data with contextual information by querying api.ipify.org for IP resolution and ipapi.co for geolocation details. <\/p>\n
This automated reconnaissance<\/a> happens in real time before the credentials are packaged and transmitted to the attackers. <\/p>\n The operation demonstrates a high level of technical planning, with multiple variants showing consistent operational patterns despite changes in their obfuscation techniques.<\/p>\n The Sage Hollow researchers identified<\/a> the campaign after discovering the mushroom emoji signature, which served as a reliable pivot point to track additional deployments. <\/p>\n Analysis of the kit\u2019s evolution revealed several distinct variants, ranging from heavily obfuscated scripts with anti-analysis traps to completely unobfuscated code that resembles AI-generated patterns.<\/p>\n The most recent variant, called disBLOCK.js, features clean indentation, clearly named functions, and Spanish-language comments that explain each execution stage, characteristics strongly associated with AI-assisted code generation<\/a> rather than manually developed tools.<\/p>\n The phishing kit operates through a modular architecture where configuration data is separated from execution logic. In early deployments, a script named xjsx.js served as a configuration container, storing Telegram bot tokens and chat IDs using light array rotation obfuscation. <\/p>\n The victim data collection follows a fixed sequence: when a user submits credentials through the fake login<\/a> form, the kit first validates the email format using a regular expression pattern. <\/p>\n It then triggers the fetchIPData function, which makes HTTPS requests to external APIs to gather IP and location information.<\/p>\n The exfiltration payload maintains a standardized format across all variants, structured as \u201cOUTL CORREO: [victim_email] PASSWR: [victim_password] IP: [ip_address]\u201d followed by location details. <\/p>\n Network captures show the data being transmitted via standard HTTPS POST requests to either Telegram bot APIs or Discord webhook endpoints. <\/p>\n The shift toward Discord webhooks represents a tactical evolution, as these function as write-only channels that prevent defenders from accessing historical exfiltration data even when the webhook URL is discovered.<\/p>\n The kit\u2019s infrastructure analysis reveals a service-oriented ecosystem with deliberately compartmentalized deployment layers while maintaining selective convergence at the exfiltration level, indicating a phishing-as-a-service<\/a> model where different operators may be using the same underlying toolkit.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New Phishing Kit with AI-assisted Development Attacking Microsoft Users to Steal Logins<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"tlgram.js](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEimWl_PmBuifPMaYSOihCm1hkyb36nVc3s-DfkhqjBEw2CNCOWVsL7UfKHV70uTx5JnQlQvRm2jshi5Ds5XV-pEAzvLLwYxZIQdEwTthQNMFaFn2aHR7sWEbOiTrd6pYAYSv0w7qcTHuuwnVb_GfZQNoYUwqMvzxpNtNagW_0-BWKtXgaqKdcf8PfltKwM\/s16000\/tlgram.js%2520deobfuscated%2520%28Source%2520-%2520The%2520Sage%2520Hollow%29.webp?ssl=1\")
Infection Mechanism<\/strong><\/h2>\n
![\"A](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEilUCOQRa97RTG6JaF1wVeLoKlGfJmEii1QgGSdHR7AZylsasygplCwZNvhM90gPrJnXx-7gcbDJOT47chlc-H-umhSbpTBuB2wa711JT-BvbuqQa_U0slg_mlks8gMM5xqY0ybjYsl2_QHS9JglrLOQ3JmXdieTJ069FEobKZNDFR_wkrbt_iC_3j1vRk\/s16000\/A%2520Cursed%2520Harvest%2520%28Source%2520-%2520The%2520Sage%2520Hollow%29.webp?ssl=1\")