A sophisticated new phishing kit, exhibiting clear signs of AI-assisted development, is actively targeting Microsoft Outlook users, primarily those who interact with the service in Spanish. This operation, which began in March 2025, has been identified by researchers through a distinctive signature of four mushroom emojis embedded within the string “OUTL.” The campaign has been observed in over 75 separate deployments, seeking to steal login credentials, email addresses, and sensitive user information.
The phishing kit expertly mimics the legitimate Microsoft Outlook login interface, presenting users with a convincing Spanish-language authentication page. Once victims enter their credentials, the kit automatically enriches this stolen data with valuable contextual information, including their IP addresses and geolocation details, by querying external APIs in real-time. This automated reconnaissance process occurs before the captured information is packaged and exfiltrated to the attackers.
AI-Assisted Development Fuels Sophisticated Phishing Kit Targeting Microsoft Users
The ongoing phishing campaign underscores a troubling trend in cybercrime: the integration of artificial intelligence into the development of malicious tools. Researchers at The Sage Hollow have been tracking this operation and noted a significant evolution in the phishing kit’s sophistication. While earlier variants employed heavy obfuscation techniques and anti-analysis traps to evade detection, more recent iterations showcase clean code, clearly named functions, and Spanish-language comments, all hallmarks strongly associated with AI-generated code rather than traditional manual development.
This AI-assisted development allows for the rapid creation and refinement of phishing kits, making them more effective and harder to detect. The consistent operational patterns observed across multiple variants, despite changes in obfuscation, suggest a well-planned and adaptable infrastructure behind the operation. The primary objective remains the compromise of Microsoft Outlook accounts, a gateway to a wealth of personal and professional data.
Infection Mechanism and Data Exfiltration
The infection mechanism of this phishing kit is characterized by a modular architecture that separates configuration data from execution logic. In initial deployments, a script named xjsx.js served as a configuration container, storing Telegram bot tokens and chat IDs through light array rotation obfuscation. This modularity allows for easier updates and adaptation of the kit by the operators.
The victim data collection follows a precise sequence. Upon a user submitting their credentials through the fake login form, the kit first validates the email format using a regular expression pattern. Subsequently, it triggers the fetchIPData function, which initiates HTTPS requests to external APIs like api.ipify.org for IP resolution and ipapi.co for geolocation details. This automated process ensures that attackers gain a comprehensive profile of their victim.
The exfiltrated data adheres to a standardized format across all observed variants, typically including the victim’s email, password, IP address, and location details. This information is transmitted to the attackers via standard HTTPS POST requests. Researchers have observed the data being sent to either Telegram bot APIs or Discord webhook endpoints. The adoption of Discord webhooks signifies a tactical shift, as these endpoints function as write-only channels, making it more challenging for defenders to trace or recover historical exfiltration data even if the webhook URL is discovered.
Furthermore, the analysis of the kit’s infrastructure points towards a service-oriented ecosystem with deliberately compartmentalized deployment layers. This compartmentalization, combined with selective convergence at the exfiltration level, suggests a potential phishing-as-a-service model. This model implies that various threat actors may be leveraging the same underlying toolkit, amplifying the scope and impact of the campaign.
The continued evolution of this phishing kit, particularly its AI-assisted development, poses a significant challenge to cybersecurity defenses. Microsoft users, especially those operating in Spanish-speaking regions, are urged to exercise extreme caution when encountering unsolicited emails or suspicious login prompts. Staying vigilant and implementing robust multi-factor authentication can provide crucial layers of defense against such sophisticated attacks that aim to steal sensitive Microsoft account credentials.