It is 3:28 p.m. on June 18, 2026, as I begin writing this article; this information will be useful later on. Yesterday, I received a notification alerting me to a website containing files with credentials stolen through a phishing attack. I took a look and found a site that masqueraded as Outlook and prompted users to enter their credentials. Once the credentials were captured, the system saved them to a text file. Since the stolen credentials appeared to be active, I immediately opened a ticket with Microsoft CERT. Microsoft confirmed that it had received the ticket via email at 5:38 p.m. Paris time on June 17. I decided to dig a little deeper into this site and first analyzed our data.

The domain was first reported by our system on Urlscan as “opendir” at ~3:00 p.m. (minutes masked) on October 15, 2025; at the time, it did not appear to pose any threats. However, due to certain indicators, our monitoring system had flagged the domain as “to be monitored,” and as a result, eight months later, it detected the threat that the attacker had deployed months earlier in an attempt to evade detection.

Our report to Urlscan

After this introduction, where everything seems positive (our system did a great job monitoring a potential threat for months and then flagging the actual danger), let’s move on to the negative points:

  1. Users are unable to understand the danger;

  2. Microsoft allows users to disable 2FA

  3. No one noticed the problem (Google Safe Browsing doesn’t list the domain; VirusTotal doesn’t report any alerts from its partners; and the credentials, even though they’re online, available to everyone, and perhaps even being misused, haven’t been blocked)

    Virustotal report

  4. Even after opening a support ticket with Microsoft, nearly 24 hours later the domain is still online and the credentials are valid and usable

I’d say there’s plenty of room for improvement, even among those companies that talk about security and trust but then do very little or nothing at all when it comes to taking action to protect a small business owner. I deliberately chose not to share the domain in question in this post because those damn credentials are still there and active. I’ll share the domain name as soon as someone does something useful and takes the site offline. I’m counting on Namecheap and XYZ, who are always on top of these issues.