Attackers Hijacking Legitimate Websites to Attack Microsoft Teams users

Home Cyber Security News Attackers Hijacking Legitimate Websites to Attack Microsoft Teams users A multi-vector phishing campaign using compromised WordPress sites to steal login credentials from Microsoft Teams and Xfinity users. By hijacking these trusted sites, attackers can bypass security filters and trick victims into disclosing sensitive information. The threat actors are not relying on a single method to trick their victims. Instead, they are utilizing three distinct phishing lures designed to create a false sense of urgency: Fake Missed Voicemail Alert (Source: X post by KnowBe4 Threat Labs) Teams Voice Message: An email notification claiming the user has a missed voicemail on Microsoft Teams. Shared Documents: A deceptive alert stating a new document has been shared, pushing the user to click quickly to view the file. UAE Pass Spoofing: A regionally targeted lure that sends fake login requests to users of the UAE Pass digital identity system. How the Attack Chain Works The campaign follows a carefully planned attack chain designed to capture user credentials for downstream account takeovers: UAE Pass spoofing via fake login requests (Source: X post by KnowBe4 Threat Labs) The Hook: The victim receives a phishing email, such as a fake “Teams Voice Message” alert, containing a “Listen Now” button. The Pivot: When the user clicks the link, they are secretly redirected through a tracking domain, specifically skimresources[.]com. New Document Shared alert to create urgency (Source: X post by KnowBe4 Threat Labs) The Payload: The redirect ultimately lands the victim on a highly convincing, pixel-perfect fake login page. These fake pages mimic Microsoft Teams, Xfinity, or UAE Pass. Users land on a pixel-perfect fake Xfinity login page (Source: X post by KnowBe4 Threat Labs) The Goal: Once the user enters their username and password, attackers harvest the credentials to completely take over the victim’s accounts. A key feature of this campaign is the abuse of legitimate WordPress websites. 🚨PHISHING ALERT: MULTI-VECTOR PHISHING VIA COMPROMISED WORDPRESS SITES 🚨 KNOWBE4 THREAT LABS IS TRACKING AN ACTIVE CAMPAIGN LEVERAGING COMPROMISED WORDPRESS INFRASTRUCTURE TO HOST A SUITE OF PHISHING PAGES TARGETING MICROSOFT TEAMS USERS AND XFINITY CREDENTIALS. 🛡️ THE ATTACK… PIC.TWITTER.COM/XC3CMUKTBN — KB4ThreatLabs (@Kb4Threatlabs) March 16, 2026 The attackers are hacking into poorly secured sites and hiding their malicious phishing pages deep within standard system folders. By placing their fake login pages in core directories like /wp-includes/ or /bin/, the attackers can hide in plain sight, avoiding immediate detection by website owners and automated security scanners. Security teams and network administrators should block the following compromised domains and file paths associated with this campaign: crsons[.]net/wp-includes/js/tinymce/~ crsons[.]net/wp-includes/cgi/UAE%20PASS.htm afghantarin[.]com/afghantarin/admin/waitme/~ medinex[.]in/includes/bin/index[.]php cabinetzeukeng[.]net/config/[.]bin/voicemail rnedinex[.]com To protect against this threat, organizations should train employees to carefully verify email senders and hover over links before clicking, especially when receiving unexpected voicemails or document alerts. Additionally, website administrators must ensure their WordPress installations, themes, and plugins are fully updated to prevent their infrastructure from being weaponized. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Chrome CISA Warns of Chrome 0-Day Vulnerabilities Exploited in Attacks Cyber Security News Malicious npm Packages Deliver PylangGhost RAT in New Software Supply Chain Campaign Cyber Security News Phishers Abuse LiveChat Support Tools to Steal Sensitive Data in New SaaS-Based Attack Tactic Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026