Nimblr honeypots uncovered a phishing campaign targeting Swedish users

By simulating real companies and users, Nimblr honeypots detected a sophisticated phishing attack targeting Swedish users. The threat exploited trusted platforms to bypass security; highlighting the power of early detection and behavioral defense. 

What are Honeypots, and how do they work? 

Honeypots are simulated digital environments, such as fake companies, email addresses, and websites. They are designed to attract and observe cyberattacks in a controlled and safe manner. At Nimblr, our Cyber Intelligence team uses these decoys to proactively detect and analyze phishing attempts, malware campaigns, and other forms of cyberthreats before they reach end users. 

"Despite these efforts, the fraudulent documents remained accesible online for six days"

By capturing the attacker’s behavior in real time, honeypots provide valuable insights into the tools, tactics, and infrastructure used by cybercriminals. This intelligence allows us to improve defenses, create targeted training content, and strengthen protection across the wider security ecosystem. 

Why does Nimblr use honeypots? 

Honeypots are a cornerstone of Nimblr’s threat detection strategy. They enable our Cyber Intelligence team to: 

• Detect emerging threats early, often before they become widespread 

• Analyze payload delivery techniques and attacker infrastructure 

• Share actionable threat intelligence with partners and clients 

• Inform behavioral training by simulating real-world scenarios based on actual attacks 

By operating realistic honeypots, we can respond to cyber threats with speed and precision, translating technical discoveries into action. 

A closer look: The OneDrive phishing attack 

In a recent case, one of Nimblr’s honeypots detected a highly sophisticated phishing email. What set this attack apart was its use of a compromised, legitimate Microsoft Exchange account. The email was crafted to appear professional and trustworthy, referencing an attached project proposal and linking to a real OneDrive page. 

However, the document hosted on OneDrive contained a hidden second link. When clicked, the user was redirected to a counterfeit Microsoft login page designed to steal credentials. 

We talked about this and much more in one of our webinars. Would you like to watch the recording? Click here. 

The attack leveraged trusted infrastructure, Microsoft's own servers, which allowed the email to bypass most spam filters and traditional security checks. This multi-stage approach, where malicious actions are delayed and hidden behind legitimate-looking steps, is an increasingly common tactic used by cybercriminals to avoid detection. 

Upon discovering the attack, Nimblr’s Cyber Intelligence team traced the payload delivery, analyzed the credential-harvesting scripts, and identified the hosting infrastructure. We also alerted the compromised organization and reported the malicious page to relevant hosting providers. 

Despite these efforts, the fraudulent document remained accessible online for six days, underscoring the importance of rapid response and coordinated mitigation across platforms. 

Summary: What this attack teaches us 

This incident highlights several key aspects of modern cyberattacks and the importance of proactive defense strategies: 

• Trusted platforms can be weaponized. Cybercriminals increasingly rely on legitimate services like OneDrive to deliver malicious content. 

• Multi-stage phishing is on the rise. Attacks are designed to appear harmless at first, making detection more difficult. 

• Honeypots are essential for early detection. They provide critical intelligence that helps neutralize threats before they escalate. 

• User awareness remains vital. Layered defenses, especially behavioral training and multifactor authentication, are crucial in limiting risk. 

Cybercriminals continue to evolve their tactics. At Nimblr, so do we, by combining technical intelligence with behavioral insights to stay one step ahead.