In early 2025, Nimblr’s Cyber Intelligence team uncovered a highly targeted phishing attack aimed at a major Swedish sporting event. The attack was designed to bypass traditional email defenses and exploit user trust by abusing legitimate platforms. Here’s how our honeypot system identified, traced, and responded to the threat—before it could spread further.
Background: Behavioral threats over technical exploits
Unlike attacks that target infrastructure or exploit zero-day vulnerabilities, this campaign focused entirely on the end user. The attacker’s goal was to steal Microsoft 365 credentials by crafting a chain of convincing but deceptive steps.
Thanks to one of Nimblr’s deployed honeypots, a decoy email address embedded in a realistic but fake corporate website, our team captured the phishing email in real time.
Step-by-Step: Anatomy of the attack
Step 1: Delivery via legitimate infrastructure
The phishing email was sent from a legitimate, compromised Microsoft Exchange account belonging to the CEO of the event organizer. Because the email originated from a trusted source, it bypassed most spam filters and security checks.
Step 2: Deceptive content and timing
The email included a message referencing a “project proposal” and linked to a document hosted on Microsoft OneDrive. Notably, the message was timed just days before the start of the sports event, leveraging urgency and relevance to increase click-through rates.
Step 3: Use of a trusted platform as a first layer
The initial OneDrive link led to a genuine Microsoft-hosted page, further reinforcing the legitimacy of the email. This page contained a document with a second embedded link.
Step 4: Payload delivery via indirect link
Only upon clicking the secondary link did the actual malicious content appear: a fake Microsoft login page designed to harvest credentials. The page mimicked Microsoft’s branding and behavior, with the only clue being a non-Microsoft URL—something most users would miss.
Threat analysis and containment
After detecting the email, Nimblr’s team initiated a structured threat analysis:
- Header inspection: Revealed legitimate routing and sending domains
- Code review: Uncovered obfuscated scripts on the phishing page used for credential capture
- Sandbox testing: Simulated user interaction to safely extract indicators of compromise (IOCs)
- Attribution and mitigation: Identified the hosting provider, registrar, and script origins. Actions were taken to report the domain and notify the compromised organization
Despite immediate outreach, the malicious OneDrive document remained online for six days, illustrating the need for faster response coordination between organizations and IT vendors.
Why traditional security missed it
This attack highlights a growing trend: the abuse of legitimate platforms like OneDrive, Exchange, and SharePoint to deliver multi-stage payloads that evade perimeter defenses. The initial payload appeared completely benign, and only deeper in the attack chain did malicious behavior emerge.
Outcome and operational impact
- The phishing page was taken down
- Nimblr added the attack pattern and IOCs to its internal intelligence database
- Real-world samples from the attack were transformed into simulations for customer training within Nimblr’s security awareness training platform
- Findings were also shared with trusted security partners to contribute to collective cyber resilience
Key Takeaways for CISOs and IT managers
- Multi-stage phishing is on the rise. Legitimate services are being weaponized in ways that defeat most automated filters
- Credential compromise can originate from trusted contacts. Always verify unexpected content, even from known senders
- Proactive intelligence makes the difference. Nimblr honeypots provided early detection, enabling rapid response and awareness
Strengthen your front line
Want to understand how Nimblr’s Cyber Intelligence and honeypot systems can protect your organization from evolving user-targeted threats?
Contact us today or explore our Security Awareness Training platform to learn more.
