Threat Analysis: Malicious NPM Package Leveraged in O365 Phishing Attack www.fortra.com/blog/thre…

In early April 2025, a novel and sophisticated phishing attempt targeting our clients was identified by Fortra’s Suspicious Email Analysis (SEA) team. The threat actor’s main goal was to harvest Microsoft O365 credentials. While phishing attacks are not new, nor a rare occurrence, the approach employed in this case is notable due to its complexity and creative use of modern technologies, including the linking of an .htm file, use of AES, calling to a well-known Content Delivery Network (CDN) and a npm package containing the malicious code. All of these tactics have been observed before, however this is the first time Fortra has documented them being used together to deliver a Microsoft O365 phish. While the effectiveness of this campaign remains to be seen, the combining of these tactics is clearly an attempt to target unsuspecting victims where they may be vulnerable.

The abuse of open-source repositories, such as npm, has been well documented and is known to pose a significant threat to organizations. These tactics have allowed threat actors to not only deliver malware but also conduct supply chain attacks and now leverage them to deliver phishing URLs.