ThreatSTOP’s Security, Intelligence, and Research Team has been closely analyzing the “Butcher Shop” phishing campaign initially discussed in Obsidian’s blog post. This campaign is sneaky and uses open redirect vulnerabilities, cleverly made phishing pages, and even legitimate platforms like Cloudflare Turnstiles to trick security systems. We’ve found a huge network of domains—many of which are short-lived and hosted in different countries—that are changing quickly, making it hard to stop them just by blocking them.

Below, we share the highlights of what we’ve uncovered so far, along with proactive ways to protect your organization.

Recap: The Butcher Shop Playbook

1. Phishing & Redirection

Emails with links appearing from platforms like Canva, Google AMP, Dropbox’s Docsend, or compromised WordPress sites often lead recipients to malicious pages. 

2. Cloudflare Turnstiles

The phishing chain often presents a Cloudflare turnstile (javascript challenge) page, which filters automated tools while allowing genuine human users to proceed. This strategy prevents standard URL scanners from identifying the final phishing websites.

3. Malicious Scripts & MFA Bypass

Attackers employ scripts (such as bootstrap.js hosted on Tencent Cloud’s CDN) to construct fake Microsoft 365 login pages. These scripts validate stolen credentials in real time and may potentially bypass multi-factor authentication (MFA).

4. Short-Lived Domains

Many Butcher Shop domains are created for only a few days before the attackers move on to their next target. To evade blocklists and domain-centric security measures, they frequently rotate their domains and use legitimate or semi-legitimate domain names.

ThreatSTOP Telemetry: What We’re Seeing

1. Domains and Locations

Our research confirms that attacks are reaching into many countries, including Pakistan (PK), China (CN), Australia (AU), the Czech Republic (CZ), and more. A few examples include:

1066591224.invoicingconstructionlaw.com -> PK

www.invocelaw.com -> Miancheng, GD, CN, BJ, CN

1780937851.brandlawdocs.com -> AU

5245323962.lawforconstruction.com -> Brno, 64, CZ

This geographic diversity underscores the attackers’ global footprint. Keep in mind the locations we're mentioning are where the DNS requests are coming from.

2. Domain Frequency

ThreatSTOP’s data shows recurring domain usage and repeated queries. A few noteworthy examples:

kline.lawyercloudservice.com: Queried 32 times

clouddocumenthosting.com: Queried 11 times

file-data.doclabcourt.com: Queried 8 times

Frequent queries to these domains suggest they are integral to the Butcher Shop infrastructure—likely hosting phishing pages, redirect mechanisms, or successful campaigns. 

3. Location Frequency

A breakdown of query origins reveals significant activity in:

London, ENG, GB (16 occurrences)

New York, NY, US (16 occurrences)

Beijing, BJ, CN (multiple occurrences)

Ashburn, VA, US (6 occurrences)

Yantai, SD, CN (6 occurrences)

 

4. Diversity Tactics

Some domains appear in several geographic locations—a telltale sign of attackers using Content Delivery Networks (CDNs) as mentioned above or multiple hosting providers to sidestep detection:

shaftdrillers.appdocumentvault.com: 4 unique locations

lawdocstorage.com: 3 unique locations

1manandman2.constructappsolution.com: 3 unique locations

Rotating IP addresses and servers fosters a whack-a-mole effect for defenders reliant solely on IP or domain blocklists.

 

Why These Findings Matter

Traditional email gateways often struggle to neutralize threats like Butcher Shop because the campaign leverages legitimate services and widespread hosting. Malicious domains are spun up—and taken down—faster than many block lists can keep pace. Even multi-factor authentication (MFA) can be partially bypassed if attackers insert themselves as a “man-in-the-browser,” collecting credentials and MFA tokens in real time.

For organizations in legal, government, and construction sectors, the stakes are particularly high—sensitive data, privileged communications, and critical infrastructure details might be at risk. However, Butcher Shop’s phishing arsenal could be retooled to target anyone, so staying proactive is essential for all industries.

 

How ThreatSTOP Proactively Protects You

Where standard point solutions fall short, ThreatSTOP’s comprehensive threat intelligence platform offers multi-layered, proactive protection:

1. DNS Defense Cloud

Rely on our global DNS infrastructure to shield against the newest malicious domains. We analyze DNS queries in real time, blocking newly spun-up Butcher Shop addresses before they trick unsuspecting employees.

2. DNS Defense

For those who prefer on-premises DNS servers, our actionable threat intelligence integrates seamlessly with your existing infrastructure. By applying our continuously updated protections, you reduce exposure to malicious redirect URLs.

Our Security, Intelligence, and Research team proactively creates protections for:

Command and Control (C2)

Peer-to-Peer Malicious Traffic

Phishing, SPAM, and Data Exfiltration

Distributed Denial of Service (DDoS)

Invalid Traffic and more

By automatically ingesting the latest threat indicators, your organization gains a decisive edge—shutting down phishers’ efforts before they escalate into large-scale compromises.

 

Ready to Elevate Your Protection?

For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! Get started with a Demo today!

Connect with Customers, Disconnect from Risks