Cybersecurity researchers have identified ongoing phishing campaigns that exploit refresh entries in HTTP headers to distribute fake email login pages to steal user credentials.