The starting point of the infection chain is an email message containing a link that mimics a legitimate or compromised domain that, when clicked, triggers the redirection to the actor-controlled credential harvesting page.

To lend the phishing attempt a veneer of legitimacy, the malicious webmail login pages have the recipients' email addresses pre-filled. Attackers have also been observed using legitimate domains that offer URL shortening, tracking, and campaign marketing services.

"By carefully mimicking legitimate domains and redirecting victims to official sites, attackers can effectively mask their true objectives and increase the likelihood of successful credential theft," the researchers said.