AI-Assisted Phishing Kit Targets Microsoft Outlook Users with Telegram and Discord Exfil
A Spanish-speaking phishing operation has been active since March 2025, using a kit that looks and feels like a genuine Microsoft Outlook login page. It steals credentials, grabs the victim's IP and geolocation, and ships the package out via Telegram bots or Discord webhooks. Across more than 75 deployments, the campaign shows a consistent signature: four mushroom emojis baked into the string "OUTL."
Researchers at The Sage Hollow tracked multiple variants, from heavily obfuscated scripts to clean builds that read like machine-generated code. The newest variant, disBLOCK.js, stands out with clear function names and Spanish comments explaining each step - a strong indicator of AI-assisted development. Under the hood, the kit keeps configuration separate from execution and leans on common IP/geolocation APIs to enrich stolen data in real time.
How the kit works
- Phish page: A convincing Spanish-language replica of Microsoft's Outlook login.
- Data capture: On submit, credentials are validated (regex), then the kit calls api.ipify.org for IP and ipapi.co for geolocation.
- Standardized payload: "OUTL CORREO: [victim_email] PASSWR: [victim_password] IP: [ip_address]" plus location details.
- Exfil channels: HTTPS POST to Telegram bot APIs or Discord webhook endpoints. Shift to Discord webhooks reduces defender visibility because they act as write-only sinks.
- Architecture: Modular. Early versions used xjsx.js to store Telegram tokens and chat IDs with light array-rotation obfuscation. Other observed files include tlgram.js and disBLOCK.js.
Why this matters to security and engineering teams
The campaign is consistent even as the code shape changes. That's the AI fingerprint: clean, well-structured variants appear alongside obfuscated builds, but the behavior barely moves. For blue teams and appsec engineers, this means focusing on behavior and egress patterns over static signatures.
Primary indicators of compromise (IOCs)
- String markers: "OUTL" paired with four mushroom emojis (🍄🍄🍄🍄) and the label "PASSWR."
- Network calls from a login page to external lookups: api.ipify.org and ipapi.co.
- Outbound HTTPS POST to:
- api.telegram.org/bot*
- discord.com/api/webhooks/*
- Spanish-language phish pages impersonating Microsoft Outlook with non-Microsoft POST targets.
Detection and response playbook (practical steps)
- Proxy and egress controls
- Block or tightly restrict outbound access to api.telegram.org and discord.com/api/webhooks from corporate networks and application hosts.
- Create URL categories for known IP/geolocation services (api.ipify.org, ipapi.co). Flag POSTs and unusual spikes from user subnets.
- Alert on HTTP POST to discord.com/api/webhooks and api.telegram.org, especially with small JSON bodies.
- Mail and identity protections
- Enforce phishing-resistant MFA (FIDO2/Windows Hello) for Microsoft 365. Add anti-phish policies and user tagging.
- Harden safe links/safe attachments and block lookalike domains. Train users to check URL bars on any Outlook login prompt.
- Use conditional access with sign-in risk and impossible travel detections.
- Web security controls (for your own apps)
- Apply a strict Content Security Policy (connect-src) to prevent exfil to Telegram/Discord from any corporate web property.
- Monitor forms that collect credentials: no third-party API calls on submit, no unhashed transfers, and no mixed content.
- Threat hunting ideas
- Search web proxy or firewall logs for "/api/webhooks/" and "/bot" paths and alert on hits outside approved tooling.
- Look for the strings "OUTL" and "PASSWR" in email gateways, sandboxed detonations, and web content logs.
- Hunt for login pages that perform client-side fetches to api.ipify.org or ipapi.co.
- Incident response actions (if a user submits credentials)
- Force password reset and invalidate refresh tokens. Revoke OAuth consents and check for new suspicious apps.
- Audit sign-ins for the user, focusing on new IPs, geos, device IDs, and impossible travel.
- Quarantine related emails, block the phishing domain, and add detections for the IOCs above.
Why Discord webhooks are showing up more
Attackers are moving to Discord webhooks because they're simple and function as write-only pipes. Even if defenders discover a webhook URL, there's no history to recover. That forces defenders to catch the traffic in flight with egress controls and alerting on webhook patterns.
What to brief your team on
- The Outlook phish will look legitimate but use Spanish prompts and post to non-Microsoft endpoints.
- The kit enriches data in real time, so assume IP and location are already tied to any stolen credential.
- Expect multiple code variants with the same behavior. Don't rely solely on static signatures.
Helpful references
Upskill your team on AI-driven code patterns
If your team needs to read AI-influenced code faster and spot behavioral telltales, explore practical AI training paths here: Latest AI courses.
Key takeaways
- Campaign signature: "OUTL" plus four mushroom emojis; payload includes "PASSWR" and IP/location details.
- Behavior-first detections beat static matches as variants shift between obfuscated and clean AI-style code.
- Block Telegram/Discord exfil at the edge, watch for IP/geolocation lookups from login flows, and tighten Microsoft 365 anti-phish and MFA.
Your membership also unlocks:
