Phishing Campaigns Use Authentication Laundering and HTML Smuggling to Bypass Security

Two separate phishing campaigns have been identified in June 2026, each using novel techniques to bypass email security and steal credentials. Microsoft warned of a campaign targeting hotels across Europe and Asia since April 2026, using photo-themed ZIP files to drop a Node.js implant. Separately, Fortra researchers detailed the Mirage2FA phishing kit that uses HTML smuggling to deliver fake Microsoft 365 login pages and capture credentials during MFA prompts.

The hotel campaign, tracked as TonRAT, uses emails with the display name "Booking Manager (via Calendly)" and lures about guest complaints, bedbug infestations, and health inspections. The emails are routed through Calendly's notification system and Google's URL redirect service, a technique Microsoft calls authentication laundering. This allows the messages to pass SPF, DKIM, and DMARC checks because they originate from legitimate infrastructure.

Authentication Laundering vs HTML Smuggling

Both campaigns exploit trust in legitimate services and obfuscation to evade detection. The hotel campaign uses a multi-hop chain: a Calendly link redirects through share.google to a Cloudflare-fronted .cfd domain, which presents a Turnstile challenge before delivering a ZIP file containing a malicious LNK file. The LNK fires PowerShell that downloads a Node.js runtime from nodejs.org and runs the TonRAT implant, which resolves C2 domains via the TON blockchain API.

The Mirage2FA kit, analyzed by Fortra, uses HTML smuggling to embed a fake Microsoft 365 login page within an HTML attachment. The page captures credentials and MFA tokens in real time. The campaign relies on business-themed lures such as secure documents, remittance services, and payment requests. Key differences between the campaigns include:

• Delivery method: Hotel campaign uses email routing through Calendly and Google redirects; Mirage2FA uses HTML attachments with obfuscated JavaScript.
• Target: Hotels and hospitality organizations vs Microsoft 365 users across various sectors.
• Payload: Node.js implant (TonRAT) vs credential harvesting page with MFA interception.
• Evasion: Authentication laundering and blockchain-based C2 vs HTML smuggling and short-lived domains.

Implications for Defenders

These campaigns highlight the increasing sophistication of phishing operations. Authentication laundering exploits the trust placed in legitimate services like Calendly and Google, making it difficult for email filters to flag malicious intent. HTML smuggling bypasses network-level detection by constructing malicious content client-side. Both techniques require defenders to look beyond traditional indicators like sender reputation and file hashes.

Microsoft has not attributed the hotel campaign to a known threat actor, and the end goal remains unclear. No data theft or ransomware has been confirmed. Fortra's analysis of Mirage2FA suggests the kit is being actively sold or used by multiple groups. Organizations should review email authentication policies, monitor for unusual redirect chains, and implement behavioral detection for PowerShell and JavaScript execution. The hotel campaign also demonstrates the need to check both RunOnce and Node.js persistence paths during remediation.