Listen to this Post
A Dangerous Game of Deception and Data Theft
Since early 2022, cybercriminals have been orchestrating a highly sophisticated phishing campaign that impersonates Microsoft OneNote login pages to steal credentials from unsuspecting users. What sets this operation apart is its deep focus on Italian organizations and its use of Telegram bots to exfiltrate sensitive information, signaling a troubling shift in how cyberattacks are evolving.
Disguised behind legitimate services like Notion and Glitch, these phishing pages appear to be authentic document-sharing invites. Victims are lured into a trap: once they try to access the document, they’re led to fake login portals that imitate services like Office365, Outlook, and Italyâs PEC certified email system. The moment they enter their credentials, the malicious backend gets to workâcapturing IP addresses via ipify.org, and immediately sending the stolen data to pre-programmed Telegram bots.
Security experts have been tracking the threat for over three years, noting its continual evolution. Early data exfiltration used simple web forms, but by February 2022, attackers began relying on Telegram bots, embedded directly into their phishing scripts. Researchers discovered specific bots, like âSultannaâ and âremaxx24â, used to siphon off credentials and location data. After stealing login information, victims are redirected to legitimate Microsoft login pages to keep them unaware that anything malicious just occurred.
Targeting is no accident: most of the phishing content is crafted in Italian, with many domains using Italian terms. Key sectors hit include logistics, utilities, and certified email providers. Domains such as aedsrl.it and gruppoamag.it were identified as victims. Despite the attackâs low technical complexity and use of free hosting platforms (like Notion, Glitch, Google Docs, and RenderForest), the phishing flow is effectiveâshowing either a deliberate low-cost strategy or a focus purely on access brokering.
Researchers recommend heightened vigilance, especially monitoring for the attack pattern: Notion â Glitch â Telegram API. Detection signatures should be developed specifically for Telegram bot traffic in corporate environments. Thanks to intercepted Telegram communications, analysts were able to confirm the attack is still ongoing as of April 2025, and now also affects some American targets.
What Undercode Say:
The phishing campaign described is an excellent example of how simplicity, when combined with deception and free online tools, can result in high-impact cybercrime. This operation is not just about stealing passwords â itâs about access, infiltration, and long-term value extraction from the digital identities of its victims.
From a technical standpoint, the campaign is deceptively simple. Hosting phishing pages on Notion and Glitch makes them harder to flag as suspicious since these are trusted services. Redirecting victims to a legitimate Microsoft login page after the credentials are stolen further decreases the chances of detection. The attackersâ cleverness lies in the psychological aspect â trust is their greatest weapon.
Using Telegram bots for data exfiltration is a double-edged sword. On one hand, it gives attackers immediate access to stolen data, bypassing more traditional and trackable methods. On the other, it offers a foothold for researchers to intercept and analyze communications, as was done in this case. The presence of hardcoded bot tokens and chat IDs is both a vulnerability for the attackers and a useful trail for defenders.
The campaignâs targeting of Italian institutions reveals a calculated regional focus. It suggests that either the threat actors are native Italian speakers or are selling these credentials to buyers interested specifically in the Italian cyber environment. Italy’s PEC system, used for legally certified emails, is a particularly high-value target â gaining access to it could allow impersonation in legal or governmental correspondence.
Over time, the campaign has improved its tactics while remaining cost-efficient. The use of nested URLs and base64 encoding shows a level of technical skill, though not elite. This supports the theory that the operators are more interested in bulk credential theft and resale than in high-end espionage.
The slow pace of operation and minimalistic infrastructure may indicate a deliberate effort to fly under the radar â or a team with limited resources that has found a cost-effective method to gain maximum output. In either case, the threat is real and ongoing.
Organizations should not underestimate these âlow-techâ operations. Many high-profile data breaches begin with phishing emails that appear routine. In this case, the redirection chain and use of Telegram bots provide a clear footprint. Security teams must learn to identify these clues early.
By focusing detection tools on Telegram bot communication and tracking the specific platforms used for hosting phishing content, companies can gain an edge in identifying and halting similar campaigns. As attacks evolve, so must defense strategies â not just technologically, but also in terms of user education and awareness.
Fact Checker Results:
â Attack confirmed active since January 2022
â Telegram bots used to exfiltrate credentials
â Primarily targets Italian entities with authentic-looking OneNote pages đ¨
Prediction:
Given its continued success and minimal overhead, this phishing operation is likely to expand further into other European countries, especially those with similar certified email systems. The use of Telegram bots may evolve into more encrypted or decentralized communication methods. Expect more campaigns to exploit trusted services like Notion and Glitch â defenders must act now to counter this new wave of phishing warfare.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
