I do despair of the fact the criminals running these, keep going back to old methods - yes they work, but that's irrelevant (and of course, people will always be gullible), going back to old methods means there's no surprises - and I like surprises!
I processed a phish targeting Santander customers a few days ago (led to ~3GB of evidence for not just phishing, but a host of other things too - oh the joys). Already had the server cleaned up and secured as it was re-compromised whilst I was investigating.
In this case, the phish comes with an attachment (letter.html), that contains a link to;
This leads to;
This then leads to;
You'll not be surprised to learn, both the MITM and the phish, are housed on the same IP;
IP PTR: www17.pipni.cz
ASN: 43541 18.104.22.168/20 VSHOSTING VSHosting s.r.o.
And less surprised to learn, both domains are owned by the same miscreant;