Hackers Fake OneNote Login to Steal Microsoft Emails

Hackers are deploying a highly sophisticated phishing campaign that mimics Microsoft OneNote login prompts to steal Office 365 and Outlook credentials, according to researchers at ANY.RUN. The operation primarily targets Italian and U.S. users and abuses trusted platforms such as Notion, Glitch, Google Docs and RenderForest to host fake login pages. Victims receive emails with subject lines like “New Document Shared with you,” redirecting them to malicious sites offering login options for multiple email services, including PEC, Italy’s certified email system.

The campaign, active since January 2022, exfiltrates stolen credentials using Telegram bots embedded with hardcoded tokens and chat IDs. Attackers use ipify.org to capture victims’ IP addresses and redirect users to legitimate Microsoft login pages post-theft to avoid suspicion. The campaign has evolved over time, experimenting with obfuscation techniques like nested URL encoding and Base64. Security analysts recommend monitoring for suspicious Telegram API calls and domain chains indicative of this threat.