Unsealed court documents show that the domains include “hotrnall.com,” “office356-us.org,” and “mai1.info,” among other copycat URLs. Microsoft says Thallium used one of the oldest tricks in the book to steal account credentials and other information from its victims: phishing, that is, sending emails that trick recipients into visiting copycat versions of trusted websites.