Threat researchers investigating phishing attacks encountered a less common technique in spear-phishing aimed at a top American company. The code behind the phishing page made sure that the threat actor got the right credentials for the company Active Directory and performed redirects to hide the attempt. The attack started with an email delivered on a Friday, at the end of business hours, with a subject and attachment referring to an internal financial report. The attackers also made sure to scatter their traces as much as possible to make tracking them more difficult.
Source: https://www.bleepingcomputer.com/news/security/office-365-phishing-runs-real-time-check-of-stolen-domain-logins/

