Attackers have a new tool that targets Microsoft 365 users at a massive scale.

Security researchers say a phishing platform called Quantum Route Redirect or QRR is behind a growing wave of fake login pages hosted on nearly 1,000 domains. These pages look real enough to fool many users while also slipping past some automated scanners.

QRR runs realistic email lures that mimic DocuSign requests, payment notices, voicemail alerts or QR-code prompts. Each message routes victims to a fake Microsoft 365 login page built to harvest usernames and passwords. The kit often lives on parked or compromised legitimate domains that add a false sense of safety for anyone who clicks.

Researchers tracked QRR in 90 countries. About 76 percent of attacks hit US users. That scale makes QRR one of the largest phishing operations active right now.

QRR appeared soon after Microsoft disrupted a major phishing network known as RaccoonO365. That service sold ready-made Microsoft login copies used to steal more than 5,000 sets of credentials including accounts tied to over 20 US healthcare organizations. Subscribers paid as little as 12 dollars a day to send thousands of phishing emails.

Microsoft’s Digital Crimes Unit later shut down 338 related websites and identified Joshua Ogundipe from Nigeria as the operator. Investigators tied him to the phishing code and a crypto wallet that earned more than 100,000 dollars. Microsoft and Health-ISAC have since filed a lawsuit in New York that accuses him of multiple cybercrime violations.

Other recent examples include kits like VoidProxy, Darcula, Morphing Meerkat and Tycoon2FA. QRR builds on these tools with automation, bot filtering and a dashboard that helps attackers run large campaigns fast.

QRR uses about 1,000 domains. Many are real sites that were parked or compromised which helps the pages pass as legitimate. The URLs also follow a predictable pattern that can look normal to users at a glance.

The kit includes automated filtering that detects bots. It sends scanners to harmless pages and sends real people to the credential-harvesting site. Attackers can manage campaigns inside a control panel that logs traffic and activity. These features let them scale up quickly without technical skill.

Security analysts say organizations can no longer depend on URL scanning alone. Layered defenses and behavioral analysis have become essential for spotting threats that use domain rotation and automated evasion.

Microsoft was contacted for comment but did not have anything to add at this time.

When attackers get your Microsoft 365 login they can see your email grab files and even send new phishing messages that look like they came from you. That can create a chain reaction that spreads fast.

To stay safe you should check the sender before you click. Take a second to look at who the email is really from. A slight misspelling an unexpected attachment or wording that feels off is a big clue the message may be fake.

Before you open any link hover your mouse over it to preview the URL. If it does not lead to the official Microsoft login page or looks odd in any way skip it.

Turn on multifactor authentication which adds an extra layer that makes it much harder for attackers to break in even if they have your password. Use options like app-based codes or hardware keys so phishing kits cannot bypass them.

Keep everything on your device up to date. Updates seal off security holes that attackers often rely on when building phishing kits like QRR.

If you need to visit a sensitive site type the address into your browser instead of tapping a link. Strong antivirus tools also help by warning you about fake websites and blocking scripts that phishing kits use to steal login details.

Most email providers offer stronger filtering settings that block risky messages before they reach you. Turn on the highest level your account allows to keep more fake Microsoft alerts out of your inbox.

Turn on Microsoft account sign-in notifications so you get an alert anytime someone tries to access your account. To do this sign in to your Microsoft account online open Security choose Advanced security options and switch on Sign-in alerts for any suspicious activity.