Fake Microsoft OWA / corporate portal login page hosted on *.softr.app phishing lure

Fake Microsoft Outlook Web App (OWA) / corporate portal sign-in page hosted on a Softr.io free-tier subdomain (*.softr.app). Softr is a no-code web app builder; its free plan allows publishing at <org-name>.softr.app, sharing the softr.app HTTPS certificate and CDN reputation. Attackers publish a pixel-perfect OWA / M365 login form at a custom subdomain and send an email claiming the recipient's corporate email quota is full, their password has expired, or IT requires re-authentication. The *.softr.app domain borrows Softr's certificate authority trust, making the HTTPS padlock appear legitimate. The signal fires when: (1) a link to *.softr.app appears in the body AND (2) an OWA / Outlook / Microsoft 365 / corporate password-expiry or IT-re-authentication narrative is present AND (3) sender is NOT microsoft.com, office.com, microsoftonline.com, or softr.io. Distinct from the Microsoft-impersonation billing-phish family — this specifically targets the Softr no-code hosting abuse vector for enterprise credential harvest. Source: GC1 R12 council #3; Cofense M365 credential phishing 2025; APWG no-code hosting abuse track 2025.