A phishing campaign targeting executives at a variety of organizations. The phishing emails, in most cases, are sent via an RDP service hosted by FireVPS. The body of the email directs a user to click a link in order to prevent their Office365 password from changing. The link leads to a compromised site hosting an Office 365 phishing kit. The URLs used for the phishing kit follow a similar pattern. The phishing kit logs any entered credentials to be retrieved by the attackers. The researchers identified a few phishing kits that were misconfigured, allowing them to view the content of the log files, which included potential attribution information regarding the developer of the phishing kit. Investigating the phishing kit developer, they discovered the kit being advertised and sold on Facebook with the earliest version being released in July 2019. During the course of their research, they also identified credentials of C-level users being sold on both English- and Russian-speaking forums.