Windows Defender Security Intelligence’s Office 365 Threat Research team has uncovered a phishing campaign targeting Netflix and American Express that attempt to steal payment card information.

The campaign was detected on the weekend of March 16 and is still active, according to the Windows Defender Security Intelligence Twitter feed.

In each case the phishing emails purport to be from the host company with the Netflix note telling the recipients their account is on hold due to a problem with their last payment. Attached is a form that the victim is told to download, fill out and return.

“The Netflix campaign lures recipients into giving away credit card and SSN info using with a “Your account is on hold” email and a well-crafted payment form attached to the email, Windows tweeted.

In both cases the phishing emails are well constructed and with obvious typos or flaws that might give away the scam, the team said.

“Cyber criminals have been extremely successful at both designing the lure and monetizing their success, despite their re-use of techniques and themes such as threatening our Netflix accounts or suggesting something may be amiss with our credit or identity,” said Colin Little, Centripetal Networks senior threat analyst.