Allure Security researchers uncovered a payroll and benefits-themed adversary-in-the-middle (AiTM) phishing campaign by tracing a single reused token across multiple lookalike domains. What initially appeared to be isolated phishing pages was ultimately revealed as a coordinated operation targeting Microsoft 365 accounts through benefits and HR-themed lures.
By decoding and analyzing the campaign’s token structure, our team connected multiple domains to the same phishing infrastructure, identified operational patterns, uncovered previously undocumented campaign artifacts, and exposed how attackers use payroll and benefits branding as a gateway to Microsoft 365 account takeover. This report walks through the investigation, methodology, and findings, showing how a single technical artifact helped unravel an entire phishing operation.
What's inside:
- How a reused signed token connected multiple phishing domains to a single campaign
- Why payroll and benefits brands are being used to lure victims into Microsoft 365 account takeover attacks
- A technical breakdown of the campaign’s infrastructure, token design, and anti-analysis controls
- Previously undocumented campaign artifacts, including operator labeling and infrastructure patterns
- Detection opportunities, threat hunting guidance, and indicators defenders can use today
- And more
