A new phishing campaign has been observed targeting organizations worldwide with a multi-stage attack chain designed to steal Microsoft 365 credentials and bypass Multi-Factor Authentication (MFA).
According to new research from KnowBe4 Threat Labs, the operation has been active since Nov. 3, 2025 and uses layered PDF attachments, trusted Content Delivery Network (CDN) services, and browser-environment checks to evade secure email gateways and automated analysis tools.
The researchers warned that the campaign’s complexity indicates a continued trend toward phishing operations engineered to defeat both traditional filters and modern behavioral detection.
Multi-Layered PDFs
Victims receive an initial phishing email containing a PDF attachment. Opening it reveals another PDF, which then leads to additional embedded links.
This “nesting” structure prevents many security tools from following successive redirects, either due to technical limitations or email-delivery service-level agreements, while presenting recipients with apparently legitimate documents.
CDN masking further obscures the malicious path. Only after completing multiple hops does the victim reach a spoofed Microsoft 365 login page designed to harvest credentials.
KnowBe4 researchers identified nine evasion techniques on the phishing site, including developer-tool detection, anti-debugging loops, viewport monitoring, blocked context menus, hidden form fields to identify bots, mouse-movement tracking, console overrides, text obfuscation, and outbound-request monitoring.
These measures are intended to filter out security analysts and automated scanners, while allowing regular users to proceed.
Real-Time MFA Relays
According to KnowBe4, the campaign’s most concerning capability is its real-time MFA bypass. Using a Man-in-the-Middle (MITM) relay that interacts directly with legitimate Microsoft servers, the phishing page validates credentials, identifies a user’s active MFA methods, and presents genuine prompts, including push notifications, one-time codes, and voice calls.
If successful, attackers gain full access to the victim’s Microsoft 365 environment, enabling follow-on activity such as business email compromise, data theft, or ransomware deployment.
KnowBe4 Threat Labs recommended strengthening email defenses with integrated cloud email security tools, updating filters to flag PDFs with embedded actions, blocking known, malicious domains, and auditing MFA logs regularly.
User awareness remains critical. The multi-step PDF sequence offers several windows for users to notice unusual behavior and report suspicious messages.
