Check this one out, i read an article on how this was done the other day (How they are trying to use domain names that appear to be genuine) and low and behold we got an email.
Check the java script as well and see how they use that to inject. If i find the article i will post here.
http://urlquery.net/report.php?id=1476922199803
What i found interesting was this
if (window.location.hostname.split('.').pop().search(/edu|gov|mil/) < 0) {
Edited by JohnnyJammer, 19 October 2016 - 07:20 PM.