All that JavaScript for… spear phishing?

This report analyzes a targeted spear-phishing campaign that uses HTML smuggling (obfuscated JavaScript with binary/hex arrays, base64 blobs, and AES-encrypted payloads) to deliver a chained payload which ultimately loads an iframe pointing to attacker-controlled domains that present a Microsoft Office 365 login page and exfiltrate credentials; the write-up includes multiple sample hashes, domains/URIs, observed AES keys, and mitigation recommendations.