Want latest news insights in your inbox? Sign up for our weekly newsletters to get only what matters to your organization. Subscribe Now
Cybersecurity analysts have uncovered a sophisticated phishing campaign that uses legitimate Microsoft Dynamics infrastructure to trick Gmail users into handing over their credentials. The attack is notable for its multi-step design, ability to bypass common security checks, and use of advanced evasion tactics.
How the Attack Works
The campaign begins with emails disguised as “New Voice Notifications.” These messages appear authentic, complete with spoofed sender details and a clickable button urging recipients to “Listen to Voicemail.”
Clicking the button doesn’t take victims to a voicemail service. It instead routes them through Microsoft’s Dynamics marketing platform (assets-eur.mkt.dynamics.com). By leveraging a trusted service, the attackers gain instant legitimacy and avoid being flagged by many email defenses.
From CAPTCHA to Credential Theft
Victims are then funneled to a CAPTCHA page on horkyrown[.]com, a domain linked to Pakistan. The CAPTCHA stage adds a false sense of security before presenting users with a near-identical clone of Gmail’s login page.
The fake page captures far more than just usernames and passwords. It is designed to harvest:
-
Two-factor authentication codes
-
Backup recovery keys
-
Linked email accounts
-
Security question responses
Behind the scenes, the page runs heavily obfuscated JavaScript, using AES encryption and anti-debugging functions. If a user attempts to inspect the code, they’re redirected to Google’s legitimate login site to avoid detection.
International Infrastructure
The campaign relies on a web of compromised servers to stay hidden. Analysts traced redirections to domains hosted in Russia (purpxqha[.]ru) while the phishing CAPTCHA site was tied to Karachi, Pakistan. The international setup makes takedown and forensic work more difficult.
Why This Matters
Unlike typical phishing attempts, this campaign directly undermines multi-factor authentication (MFA) by capturing secondary codes and recovery options. That makes the stolen credentials highly valuable and allows attackers to hijack accounts quickly before victims notice.
Security Guidance
-
Users should ignore unsolicited voicemail notifications, confirm login prompts directly at Google, and reset passwords immediately if suspicious activity is detected.
-
Organizations should update email filtering, block malicious domains, and train staff to recognize evolving phishing methods.
-
Security teams are advised to monitor for abuse of legitimate services like Microsoft Dynamics in future attacks.
Final Word
This phishing wave highlights how criminals are increasingly weaponizing trusted platforms and blending social engineering with technical obfuscation. With Gmail at the center of so many personal and business operations, raising awareness and strengthening defenses is critical to keeping accounts secure.
📬 Want to stay ahead of emerging cybersecurity challenges like this?
Subscribe to our newsletter for weekly insights, updates, and expert analysis.
