Case Study: How Nimblr honeypots detected a multi-stage phishing attack

In early 2025, Nimblr’s Cyber Intelligence team uncovered a highly targeted phishing attack aimed at a major Swedish sporting event. The attack was designed to bypass traditional email defenses and exploit user trust by abusing legitimate platforms. Here’s how our honeypot system identified, traced, and responded to the threat—before it could spread further. 

Background: Behavioral threats over technical exploits 

Unlike attacks that target infrastructure or exploit zero-day vulnerabilities, this campaign focused entirely on the end user. The attacker’s goal was to steal Microsoft 365 credentials by crafting a chain of convincing but deceptive steps. 

Thanks to one of Nimblr’s deployed honeypots, a decoy email address embedded in a realistic but fake corporate website, our team captured the phishing email in real time. 

Step-by-Step: Anatomy of the attack 

Step 1: Delivery via legitimate infrastructure 
The phishing email was sent from a legitimate, compromised Microsoft Exchange account belonging to the CEO of the event organizer. Because the email originated from a trusted source, it bypassed most spam filters and security checks. 

Step 2: Deceptive content and timing 
The email included a message referencing a “project proposal” and linked to a document hosted on Microsoft OneDrive. Notably, the message was timed just days before the start of the sports event, leveraging urgency and relevance to increase click-through rates. 

Step 3: Use of a trusted platform as a first layer 
The initial OneDrive link led to a genuine Microsoft-hosted page, further reinforcing the legitimacy of the email. This page contained a document with a second embedded link. 

Step 4: Payload delivery via indirect link 
Only upon clicking the secondary link did the actual malicious content appear: a fake Microsoft login page designed to harvest credentials. The page mimicked Microsoft’s branding and behavior, with the only clue being a non-Microsoft URL—something most users would miss. 

Threat analysis and containment 

After detecting the email, Nimblr’s team initiated a structured threat analysis: 

• Header inspection: Revealed legitimate routing and sending domains 

• Code review: Uncovered obfuscated scripts on the phishing page used for credential capture 

• Sandbox testing: Simulated user interaction to safely extract indicators of compromise (IOCs) 

• Attribution and mitigation: Identified the hosting provider, registrar, and script origins. Actions were taken to report the domain and notify the compromised organization 

Despite immediate outreach, the malicious OneDrive document remained online for six days, illustrating the need for faster response coordination between organizations and IT vendors. 

Why traditional security missed it 

This attack highlights a growing trend: the abuse of legitimate platforms like OneDrive, Exchange, and SharePoint to deliver multi-stage payloads that evade perimeter defenses. The initial payload appeared completely benign, and only deeper in the attack chain did malicious behavior emerge. 

Outcome and operational impact 

• The phishing page was taken down 

• Nimblr added the attack pattern and IOCs to its internal intelligence database 

• Real-world samples from the attack were transformed into simulations for customer training within Nimblr’s security awareness training platform 
• Findings were also shared with trusted security partners to contribute to collective cyber resilience 

Key Takeaways for CISOs and IT managers 

• Multi-stage phishing is on the rise. Legitimate services are being weaponized in ways that defeat most automated filters 

• Credential compromise can originate from trusted contacts. Always verify unexpected content, even from known senders 
• Proactive intelligence makes the difference. Nimblr honeypots provided early detection, enabling rapid response and awareness 

Strengthen your front line 

Want to understand how Nimblr’s Cyber Intelligence and honeypot systems can protect your organization from evolving user-targeted threats? 

Contact us today or explore our Security Awareness Training platform to learn more.