Operation HookedWing is a long-running phishing campaign that SOCRadar says has targeted more than 500 organizations since 2022. The campaign matters because it does not rely on one disposable phishing domain. It uses legitimate-looking GitHub Pages links, compromised servers, staged redirects, and brand impersonation to push users toward credential collection pages.
For readers, the useful point is not only that another Microsoft or Google-style login page exists. HookedWing shows how phishing infrastructure now behaves like a small delivery chain: a trusted hosting surface receives the click, redirect logic separates likely victims from scanners, and the final collection page changes as infrastructure is burned. That makes simple domain-blocking less reliable, especially when the first URL looks like a normal hosted page rather than a newly registered scam domain.
Why This Campaign Is Harder to Triage
SOCRadar’s report describes Microsoft 365, Outlook, Google, DocuSign, and Adobe-themed lures, along with infrastructure hosted on github.io and compromised websites. This mix creates two different response paths. If the user only visited the landing page, defenders should preserve the URL chain and browser history before it disappears. If credentials were entered, the incident should be handled as an account takeover risk, with session tokens, OAuth grants, inbox forwarding rules, and recent sign-in locations reviewed before the user is returned to normal work.
The campaign also overlaps with a pattern Gridinsoft has covered before in Microsoft AiTM phishing and older W3LL phishing kit activity: the page is only the visible part. The real damage often comes after login, when attackers use stolen credentials or sessions to read mail, reset passwords, create persistence in the mailbox, or move into payment and supplier conversations.
Useful detection is therefore more specific than telling users to avoid suspicious links. Watch for newly received links that land on personal or project-hosting subdomains, redirects from benign-looking paths to Microsoft or Google login clones, and login attempts that follow shortly after a user opens an email link. For Microsoft 365 environments, check impossible travel, unfamiliar MFA prompts, newly consented apps, inbox rules, and mail forwarding. For public-facing sites, a sudden directory containing phishing HTML, encoded JavaScript, or unfamiliar redirect files can indicate that the site itself has been pulled into the campaign.
Another current example of targeted phishing tradecraft is FrostyNeighbor against Ukrainian government targets, where a PDF lure, geofencing, JavaScript PicassoLoader, and selective Cobalt Strike delivery make quick triage harder.
References
- SOCRadar: “Operation HookedWing: Exposing a Resilient Phishing Campaign Using GitHub Pages and Compromised Servers,” May 2026. Report
Related: The later Exchange Server CVE-2026-42897 advisory shows another mail-centered path where user interaction and server-side exposure meet.
