tl;dr Block these domains and you’ll have broken several links in this attack’s kill chain:

Webhook[.]site
My-board[.]org
ngrok-free[.]app
rf[.]gd

If you followed @badsamurai ‘s advice and used his block lists, you’d have already blocked a couple of them.

https://www.recordedfuture.com/research/gru-linked-bluedelta-evolves-credential-harvesting #cybersecurity