hlk_logo

"Moving to E5 has been really good from a security point of view... Now we can get a holistic view of whatโ€™s going on, which helps us to make changes and recommendations for future plans."

IT Service Manager
Ian Harkess
Trusted by industry leaders
NHS Confederation Logo

Kickstart Your FastTrack Journey

Fill out the short form below to express your interest in our FastTrack programme, and weโ€™ll be in touch soon.

Please note: A minimum of 150 enterprise licenses is required for FastTrack eligibility.
ENQUIRY - Popup w/ Fasttrack for dark backgrounds (#28)

โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders

Let's Talk

Call us on one of the numbers below, we cover the whole of the UK, so call the nearest office.

BriSTOL HQ & The South West

London & Surrounding Areas

Manchester & the North

Keep up to date with the experts

Get insights directly to your email inbox

MAIL LIST - Newsletter, Exit Intent Popup (#13)

Follow us on social

โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders
NHS Confederation Logo White

Request a Call

First we need a few details.

ENQUIRY - Popup w/ Captcha for light backgrounds (#21)
Expert Intel

Analysing Targeted Spearphishing: Social Engineering, Domain Rotation, and Credential Theft

Published: August 27, 2025
Updated: December 02, 2025

Charlie Kelly

Expert: Charlie Kelly

Role: Principal Security Analyst

Specialises in: Incident Response

What you will learn:
In this Expert Intel, our Principal Security Analyst, breaks down how a new spearphishing campaign operates - and the practical steps organisations must take to recognise, resist, and respond to these types of attack.
Emails observed feature anti-detection techniques such as hidden characters and high-reputation external links, as well as single use phishing URLs that self-destruct once accessed.

The Stripe OLT SOC has identified a sophisticated Spearphishing campaign targeting senior employees, particularly those in C-Suite and leadership positions.

Actors behind this campaign are leveraging tailored emails that impersonate internal HR communications, via a shared document in OneDrive, to trick recipients into entering corporate credentials.

Key Details

Targets: Executives and senior leadership across multiple industries
Email Content: Subject lines reference โ€œSalary amendmentโ€ or โ€œFIN_SALARYโ€ and pose as OneDrive document-sharing notifications.
Credential Theft Page: The link leads to a convincing Microsoft Office/OneDrive login page, which harvests credentials. Both the email body and phishing page are customised with the recipientโ€™s name and company details to enhance credibility.
Delivery Method: Emails are sent via Amazon Simple Email Service (SES) infrastructure. The actor is rotating between many sending domains and subdomains to evade detection. To date, approximately 80 domains have been identified as part of this campaign.
Campaign Tactics: We have observed the actor โ€œwarming upโ€ inboxes by sending an initial benign email days before the phishing attempt. Emails observed feature anti-detection techniques such as hidden characters and high-reputation external links, as well as single use phishing URLs that self-destruct once accessed.

Figure 1: Example Email Body Content

Financial salary amendment document received via email from Stripe OLT platform.

Figure 2: Example Credential Phishing Page

Technical Details

Our analysis of campaign infrastructure shows that the actor is leveraging multiple providers across delivery, registration, DNS, and hosting. Specifically:

Amazon SES โ€“ used for email delivery.
Cloudflare โ€“ observed as a frequent DNS/nameserver provider for related domains.
Akamai Cloud (formerly Linode) โ€“ identified as a hosting provider for phishing infrastructure.
Mat Bao Corporation โ€“ the most common registrar, with the majority of domains registered here.
Web Commerce Communications Limited (WebNic.cc) โ€“ additional registrar observed.
Luxhost โ€“ additional DNS/nameserver provider identified.

Anti-Detection Techniques

We have also observed the actor behind this campaign using obfuscated button text to bypass detection methods. When the initial email is viewed in Light Mode, the buttons appear as โ€œOpenโ€ and โ€œShareโ€.

In Dark Mode, concealed padding becomes visible, exposing randomised alphanumeric strings such as twPOpenHuxv and gQShareojxYI. This breaks up high value trigger words like โ€œOpenโ€ and โ€œShare,โ€ reducing the likelihood of detection by secure email gateways that apply string or regex based rules.

Figure 3: Example Email Body Content, Light Mode

Figure 4: Example Email Body Content, Dark Mode

Recommended Actions

To reduce exposure and strengthen resilience internally to threats like this, organisations should take the following steps – these arenโ€™t optional safeguards, theyโ€™re the essentials:

Awareness for executives and assistants โ€“ Ensure that those most likely to be targeted understand this campaign. The actor is using realistic โ€œsalary amendmentโ€ subject lines and personalised company details to increase credibility.
Scepticism around unexpected documents โ€“ Remind staff to be cautious when receiving links or documents relating to HR, payroll, or salary matters, particularly when sent externally.
Reporting suspicious emails โ€“ Make it clear how to escalate suspicious messages quickly within your business. The faster these are reported to your security resource, the quicker they can take action to protect others.
Support staff training โ€“ Executive assistants and close colleagues are also high-value targets. Ensure they receive the same level of awareness training and support as C-suite members.

For Security & IT TeaMs

While awareness is the first line of defence, this campaign is sophisticated enough that relying solely on end-user caution is not enough. Security and IT teams should proactively hunt for IOCs and check whether their organisation has already been targeted.

Our SOC analysts recommend starting with targeted hunting queries and blocking domains linked to this campaign.

Sentinel Hunting Query

Run the following KQL query in Sentinel to detect emails that match the observed subject lines:

EmailEvents
     | where Subject contains "FIN_SALARY"
     | where EmailDirection == "Inbound"
     | project Timestamp, RecipientEmailAddress, SenderMailFromDomain, Subject, ConfidenceLevel, NetworkMessageId, EmailAction

Indicators of Compromise (IOCs)

The following is a list of domains have been used for email sending:

letzdoc[.]com
hr-fildoc[.]com
docutransit[.]com
seamlessshare[.]com
filershare[.]com
sharinfile[.]com
mysharedfiling[.]com
filersharing[.]com
documentsforall[.]com
seenfile[.]com
sharedserve[.]com
documentmagnet[.]com
documentpocket[.]com
documentreplublic[.]com
fileagenda[.]com
onpointcollab[.]com
sharedsheet[.]com
ventordocs[.]com
sidedocuments[.]com
sparfile[.]com
filealertsphere[.]com
notifydocshub[.]com
levitateo[.]com
syncdocnotify[.]com
pingarchive[.]com
spdocsync[.]com
jointcomet[.]com
bizchrod[.]com
mergepads[.]com
huddledoc[.]com
paneldocument[.]com
stratusedit[.]com
blenddocs[.]com
wesharedocs[.]com
baccatelo[.]com
casualdocs[.]com
filecomrade[.]com
outzanycy[.]com
colabwithme[.]com
pipelinedocs[.]com
interactdocs[.]com
signifile[.]com
foliodocs[.]com
grouperdocs[.]com
takshare[.]com
docleash[.]com
docphaser[.]com
docstackk[.]com
unfolddocs[.]com
bluedotshare[.]com
collabeam[.]com
suprshare[.]com
karrofile[.]com
candiddocs[.]com
vivedocs[.]com
squadsdocs[.]com
doculibr[.]com
docsinsertio[.]com
docutug[.]com
quotadocu[.]com
shareinsync[.]com

Spearphishing is evolving, and adversaries are investing in more targeted, evasive tactics.

If youโ€™d like support in strengthening your detection and response capabilities, book a free discovery session with our team. Weโ€™ll help you assess where you stand, and help you understand how to get ahead.