🎣 Phishing 7 min read

Microsoft phishing campaign hosted on Replit AI with exfiltration to Discord and policy.php endpoints

The campaign impersonates Microsoft login pages and reuses apps under Replit subdomains to host the landings. Stolen credentials are sent either to a Discord webhook or to several external endpoints following the same capture pattern.

The case shows a Microsoft phishing campaign using replit[.]app subdomains as a fast hosting layer for credential-harvesting pages. During execution we observed two exfiltration behaviors: one sending data to a Discord webhook and another sending it to multiple external endpoints ending in policy.php.

Video with the visual analysis of the campaign and its related endpoints.

What we observed

The analysis carried out confirms hxxps://informacion-034--validar2901[.]replit[.]app as a primary sample, classified as Suspicious, with interactive browsing, POST requests and exfiltration toward a Discord webhook. The observed content fits a credential theft flow targeting Microsoft accounts. The campaign correlation view also shows other replit[.]app applications with the same overall credential theft behavior, but sending stolen data to different external domains.

⚠️
The signal is not just the domain

The real signal is not a single Replit subdomain. It is the combination of lure-like names, short-lived hosting on replit[.]app, credential capture forms and exfiltration endpoints that repeat with only minor changes.

Operational pattern on Replit

The observed naming suggests a reusable rapid-deployment workflow: informacion-034--validar2901, secure-static-page--alvid, secure-index-editor--murphymechanic, secure-page-editor--melisapritt, secure-site-editor--mnt1094 and secure-page-builder--lucasa22. That pattern fits abuse of a platform like Replit to generate, edit and publish landings very quickly.

Replit is not only hosting. Its AI layer, marketed as Replit Agent and its Web App Builder, lets a user describe a website or app in natural language, generate files and dependencies, iterate by chat and deploy the result to a replit[.]app URL. In a malicious workflow, that lowers the friction needed to reproduce a Microsoft login landing, tweak copy or paths and publish a new variant within minutes.

We are not attributing the campaign to Replit itself. What we observed is abuse of apps hosted on Replit to publish the visible phishing layer. The operational value for the attacker is faster visual replication, rapid form iteration and URL rotation without standing up custom infrastructure from scratch.

The observed campaign correlation includes at least the following landing → exfiltration endpoint pairs:

  • informacion-034--validar2901[.]replit[.]app
    discordapp[.]com/api/webhooks/1507452686398656664/qA48QiY1KiYbLlacCKtv0MCTcHj5c5unVK0cmAJQKWfDGn0spwl77oEHLj1sDHFDuxrb
  • secure-static-page--alvid[.]replit[.]app
    destitulados[.]click/kin/policy.php
  • secure-index-editor--murphymechanic[.]replit[.]app
    abanearias[.]us/wp_web/policy.php
  • secure-page-editor--melisapritt[.]replit[.]app
    dw[.]peuioy[.]com/file/policy.php
  • secure-site-editor--mnt1094[.]replit[.]app
    qq[.]lhrcr[.]com/nba/policy.php
  • secure-page-builder--lucasa22[.]replit[.]app
    embarqueis[.]today/sau/policy.php

Across all of them, the relevant pattern is consistent: a phishing landing hosted on replit[.]app, aimed at Microsoft credential capture, forwards stolen data to an external endpoint. In one case the attacker uses Discord for direct delivery; in the others, PHP scripts appear to act as credential collectors.

What repeated policy.php means

The repeated policy.php filename deserves a precise explanation. Seeing multiple endpoints ending in policy.php does not automatically mean they all run on the exact same backend. What it does show is a shared operational pattern.

  • What it does suggest: reuse of a kit, template or credential-capture logic that keeps the same script name.
  • What it does not prove on its own: absolute infrastructure identity.
  • Why it still matters: when policy.php appears alongside multiple replit[.]app landings, similar naming and identical exfiltration behavior, the overlap stops looking accidental and starts looking like campaign correlation.

In this case, the leaf name stays the same while the parent paths rotate (/kin/, /wp_web/, /file/, /nba/, /sau/). That fits a shared capture workflow deployed across different domains or containers.

Detection and correlation

Cases like this show why campaigns should not be analyzed only by the visible domain. Correlation becomes meaningful when you combine:

  • Shared hosting layer: multiple landings on replit[.]app.
  • Naming conventions: prefixes such as secure-, page-editor, page-builder, index-editor.
  • Form behavior: POST requests to remote destinations after user interaction.
  • Exfiltration destination: a Discord webhook or repeated PHP collectors.
  • Path similarity: multiple policy.php variants under different folders.

Operationally, that lets defenders move from a single IOC to a campaign view: multiple URLs, multiple subdomains and multiple destinations that together describe a coordinated credential theft infrastructure.

How URL Sandbox helps without forcing users into technical analysis

For a user or a brand protection team, the important outcome is not reading every low-level signal. What matters is understanding quickly whether a URL belongs to a broader campaign, what other pages are related and where stolen credentials are being sent. That is where `URL Sandbox` becomes useful.

From the platform, a user can analyze one suspicious landing and get a campaign-oriented view: related pages, domains sharing the same behavior, common collection destinations and a visual explanation of why those assets should be treated as part of the same operation. That helps prioritize response, blocking and takedown without manually interpreting each IOC.

In campaigns like this one, `URL Sandbox` helps users move from a single URL to the full story: which pages are impersonating Microsoft, which ones look like variants from the same actor and what infrastructure is receiving the passwords. The value is simple: less investigation time and faster action.

IOCs

i
Observed infrastructure
  • Landings on Replit: informacion-034--validar2901[.]replit[.]app, secure-static-page--alvid[.]replit[.]app, secure-index-editor--murphymechanic[.]replit[.]app, secure-page-editor--melisapritt[.]replit[.]app, secure-site-editor--mnt1094[.]replit[.]app and secure-page-builder--lucasa22[.]replit[.]app.
  • Discord collection endpoint: discordapp[.]com/api/webhooks/1507452686398656664/qA48QiY1KiYbLlacCKtv0MCTcHj5c5unVK0cmAJQKWfDGn0spwl77oEHLj1sDHFDuxrb.
  • External collectors using policy.php: destitulados[.]click/kin/policy.php, abanearias[.]us/wp_web/policy.php, dw[.]peuioy[.]com/file/policy.php, qq[.]lhrcr[.]com/nba/policy.php and embarqueis[.]today/sau/policy.php.
  • Campaign signal: Microsoft impersonation, landings hosted on Replit and exfiltration to Discord or repeated policy.php variants.

Key takeaways

  • The campaign impersonates Microsoft and uses replit[.]app as the visible layer for rapidly deployed phishing landings.
  • Abuse of Replit Agent and the Web App Builder fits the attacker need to replicate, adjust and republish landings with very low friction.
  • Credentials are exfiltrated both to a Discord webhook and to several external endpoints ending in policy.php.
  • Repeated policy.php does not, by itself, prove an identical backend, but it strongly supports a shared and highly correlatable operational pattern.
  • Effective defense requires correlating hosting, naming, form behavior, paths and destinations, not just blocking one domain at a time.