The phishing domain was registered at 8:02 AM UTC. By 3:21 PM that same afternoon, the attack was already sitting in a mailbox at a professional services firm, authenticated, delivered, and waiting for a click.
The message passed SPF. It passed DKIM. It passed ARC. Microsoft's own anti-spam engine scored it SCL 5 (probable spam) and routed it to Junk, but the email still reached the mailbox intact, link and all. The sending infrastructure was a fully functional Microsoft 365 tenant. The payload URL pointed to a subdomain on a domain that had existed for less than eight hours, serving content on non-standard port 8443.
This is what credential harvesting looks like when the attacker controls legitimate cloud infrastructure and builds disposable landing pages faster than most security teams can update a blocklist.
The sending domain, ouagk[.]com, was registered in September 2017 through Tucows Domains with Cloudflare nameservers. Nearly nine years of domain age. No public organizational identity, but the domain maintained active DNS, valid MX records, and a properly configured Microsoft 365 tenant with DKIM signing through the ouagk[.]onmicrosoft[.]com selector.
The message originated from a European Microsoft 365 endpoint (AS4P192MB1501.EURP192.PROD.OUTLOOK.COM), was proxied through a European client access server, and exited Microsoft's Dublin-based outbound protection infrastructure at IP 2a01:111:f403:c200::5. Every hop was Microsoft. Every authentication check returned clean results:
d=ouagk[.]onmicrosoft[.]com, selector selector2-ouagk-onmicrosoft-com)The Verizon 2024 Data Breach Investigations Report found that stolen credentials were involved in over 44% of breaches. Compromised M365 tenants like this one are the downstream result: once an attacker owns a mailbox (or provisions one in a neglected tenant), they inherit the full trust chain that Microsoft's infrastructure provides.
The subject line read "Re: Appointment April," implying an ongoing conversation. The body reinforced this with a classic forwarded message structure:
> ---------- Forwarded message ---------- > From: [Display Name] > > Yes, I'm going to remember them, for sure [link]
The display name in the From header was "Glen Smith." The actual sending address was k_tenev_24c@ouagk[.]com. That local-part pattern (a name fragment, underscore, alphanumeric suffix) is consistent with programmatically generated mailboxes, not a human choosing their own email address.
This mismatch is a core detection signal. The FBI IC3 2024 report documented $2.9 billion in BEC losses driven by identity deception techniques exactly like this. The fabricated reply thread adds a layer of social engineering: recipients process "Re:" messages as continuations of existing relationships, lowering the scrutiny they apply before clicking.
See Your Risk: Calculate how many threats your SEG is missing
The sole link in the body pointed to hxxps://quhrt[.]olnckse[.]com:8443/AS8AJTE6.
The parent domain olnckse[.]com was registered on April 13, 2026 at 08:02:59 UTC through Namecheap with WHOIS privacy enabled. Custom nameservers (ns1[.]loisscidns[.]com, ns2[.]loisscidns[.]com) indicate dedicated attacker infrastructure, not shared hosting. The domain was still in its addPeriod EPP status at the time of delivery, meaning ICANN's 5-day grace window for free cancellation had not yet closed.
Port 8443 is the critical detail. Standard HTTPS runs on port 443. Port 8443 is commonly used for administrative interfaces (Tomcat Manager, Unifi controllers, alternative web services). Many corporate web proxies and URL inspection tools only intercept traffic on ports 80 and 443. A phishing page served on 8443 can evade proxy-based scanning entirely while still presenting a valid TLS certificate to the victim's browser.
The path /AS8AJTE6 is an 8-character alphanumeric string, likely a per-recipient tracking token or campaign identifier. This is a standard pattern in phishing kits that need to correlate clicks back to specific mailboxes.
Microsoft's native filtering caught one signal: SCL 5 with SFTY 9.25 (phishing safety tip). The message was routed to Junk. But "Junk" is not "quarantined." Users access their Junk folders. Links in Junk are still clickable.
IRONSCALES Adaptive AI evaluated three independent signal layers that authentication-based tools missed:
Themis assigned a 53% phishing confidence score. The incident was escalated and the message was quarantined, removing it from the mailbox entirely rather than leaving it in a folder users routinely check.
| Type | Indicator | Context |
|---|---|---|
| Sending Email | k_tenev_24c@ouagk[.]com | Compromised M365 tenant, display name "Glen Smith" |
| Sending Domain | ouagk[.]com | Registered 2017-09-11, Tucows, Cloudflare NS |
| DKIM Domain | ouagk[.]onmicrosoft[.]com | M365 tenant DKIM selector |
| Payload URL | hxxps://quhrt[.]olnckse[.]com:8443/AS8AJTE6 | Credential harvest landing page |
| Payload Domain | olnckse[.]com | Registered 2026-04-13 (same day), Namecheap, privacy-shielded |
| Nameservers | ns1[.]loisscidns[.]com, ns2[.]loisscidns[.]com | Custom attacker DNS infrastructure |
| Sending IP | 2a01:111:f403:c200::5 | Microsoft outbound protection (Dublin) |
| Subject | Re: Appointment April | Fabricated reply thread |
Block the infrastructure. Add olnckse[.]com and loisscidns[.]com to domain blocklists. Block outbound connections to port 8443 on unknown domains, or at minimum log them for review.
Search for lateral exposure. Query mail logs for any messages from @ouagk[.]com across the organization. A compromised M365 tenant with nine years of domain age may have been used in campaigns against multiple targets. According to CISA's phishing guidance, organizations should treat confirmed phishing from authenticated sources as a potential indicator of broader compromise.
Audit non-standard port policies. If your proxy or Secure Email Gateway only inspects ports 80 and 443, you have a blind spot. IRONSCALES data across 1,921 customer organizations shows an average of 67.5 phishing emails per 100 mailboxes per month bypassing SEGs. Attacks on non-standard ports contribute to that gap.
Evaluate behavioral detection. Authentication told the truth here: the email really did come from ouagk[.]com's M365 tenant. The authentication stack worked as designed. The problem is that authentication answers "was this authorized?" not "is this safe?" Behavioral analysis that evaluates sender relationships, domain age of linked URLs, and community threat intelligence is the layer that catches what authentication cannot.