What Happened
SecurityWeek has published an analysis of Operation HookedWing, a credential-harvesting phishing campaign that has run continuously since at least 2022. Over four years, the operation has compromised more than 2,000 user credentials across more than 500 organizations spanning the aviation and travel, critical infrastructure, energy, financial services, government, logistics, public administration, and technology sectors.
The attack begins with phishing emails impersonating HR departments or internal colleagues, conveying authority and urgency without triggering immediate suspicion. Links in the emails direct victims to GitHub repositories that redirect through secondary infrastructure to landing pages that simulate a full-screen Microsoft Outlook login experience, pre-filled with the target organization’s branding. Once credentials are captured, the phishing kit validates them and logs the session. The infrastructure behind HookedWing has adapted over four years while keeping its core tactics unchanged.
Victim selection is not random. Analysis of recovered logs shows the campaign targets environments of high geopolitical relevance, with a particular focus on organizations whose credentials provide access to sensitive operational data, critical infrastructure systems, or high-privilege accounts that carry resale value on criminal markets. The campaign infrastructure remains active as of May 2026. SecurityWeek
Why This Matters for Canadian Organizations
Canada’s exposure to Operation HookedWing is direct and structural. Canadian aviation — Air Canada, Porter, WestJet, and regional carriers — operates within the same targeting profile as the confirmed victims in the aviation and travel sector. Canada’s energy sector, including pipeline operators, utility companies, and oil and gas firms, fits squarely into the critical infrastructure and energy categories the campaign has prioritized. The logistics sector, including freight operators, port authorities, and supply chain companies, is also in scope.
Government organizations are a stated target category. Federal departments and provincial agencies using Microsoft 365 face the specific risk that the HookedWing phishing kit is built to harvest Outlook credentials — the entry point to email, SharePoint, Teams, and the broader M365 ecosystem. A single set of valid credentials gives an attacker persistent access to communications, document repositories, and, frequently, connected line-of-business applications.
The campaign’s four-year operational longevity means it has already had time to compromise accounts that may still be active. Security teams should treat this as a prompt to audit credential hygiene, not a future threat to prepare for.
What to Do
Search your Microsoft 365 sign-in logs for logins from GitHub-hosted redirect URLs or unfamiliar IP ranges in the past 90 days. Enable conditional access policies that require managed devices or known locations for M365 authentication if not already in place. Conduct phishing simulation exercises that specifically test HR and colleague impersonation scenarios — the exact lure format HookedWing uses. Brief employees in aviation, energy, logistics, and government roles on the specific social engineering pattern: an email from a colleague or HR contact asking them to review a document or confirm their identity. Rotate credentials for any accounts where users report clicking unexpected links, regardless of whether a breach is confirmed. Review your Microsoft Entra ID sign-in risk policies and ensure anomalous logins trigger step-up authentication rather than silent failure.
