New Employee Phishing Campaign Targets Microsoft 365 Credentials
05 November 2025
By Rikesh Vekaria, Hiwot Mendahun and the Mimecast Threat Research Team
Subscribe to receive threat intel notifications
- Credential harvesting campaign impersonating new employee notifications across multiple organizations
- Multi-stage attack flow utilizing fake verification pages and CAPTCHA to evade detection
- Leverages FlowerStorm phishing-as-a-service platform with Adversary-in-the-Middle capabilities to bypass MFA
Campaign Overview
The Mimecast Threat Research team has identified an active credential harvesting campaign using HR related lures including a new employee onboarding notification to steal Microsoft 365 credentials. This operation uses company-specific lures that reference fictitious new employees joining target organizations, creating a sense of legitimacy that encourages user interaction. The campaign follows a multi-stage attack flow designed to evade automated detection systems. Recipients receive emails announcing new employee arrivals, often including the target company's name in subject lines to increase credibility.
When users click the embedded links, they are redirected to convincing verification pages that display photos of supposed new joiners along with CAPTCHA challenges designed to appear legitimate while preventing security scanners from accessing the final payload.
After completing the fake verification process, victims are redirected to a Microsoft credential harvesting pages. This infrastructure has been linked to FlowerStorm, a phishing-as-a-service platform that employs Adversary-in-the-Middle (AiTM) attacks specifically designed to capture credentials and bypass multi-factor authentication protections.
This technique allows threat actors to intercept authentication tokens in real-time, providing access to protected accounts even when MFA is enabled.
Mimecast Protection
Mimecast has implemented enhanced detection capabilities targeting this campaign's specific techniques, including analysis of fake CAPTCHA implementations.
Indicators of Compromise (IOC's)
Common Subject Lines:
- Welcome new employee / [name]
- [company name]update: New employee/ [name]
Credential Harvesting Infrastructure:
- copilotnotewelcomedashboardteamsmst365[.]faraway[.]com[.]de
- https://ctrlcopilotappsmst365[.]gleamed[.]com[.]de
- https://onedriveappsdirectmst365[.]gleamed[.]com[.]de
- http://mailboxselfservicecenter[.]gleamed[.]com[.]de
Targets
Multiple industries appear affected, with campaigns demonstrating the ability to customize lures with specific company names.
Recommendations
User Security Awareness:
- Educate users to verify new employee announcements through official HR channels rather than clicking email links
- Educate staff about sophisticated CAPTCHA-based phishing techniques and the importance of verifying the legitimacy of verification pages
- Conduct phishing simulations incorporating new employee social engineering scenarios
Threat Hunting:
- Search email receipt logs and URL logs for technical indicators associated with these campaigns
Keep your edge in threat intelligence
Join thousands of security professionals who rely on our curated alerts, expert analysis, and campaign IOCs to defend against the latest cyber threats.
Sign up successful
Thank you for signing up to receive updates for our threat intelligence notifications.
We will be in touch!