Just a thought.
Lately, the phishing emails I have been seeing have a lot of subdomains like ww9.domain.tld.
I am so innocent about all this that I just took it to be that the malware script had picked up some load balancing on the real domain. Any script that checks URLs for malware will probably hit a 404 error.
But, have the ISP send some junk from these invented URLs and anything could be being injected.
Here are a few [edited] examples from recent phishing mails:
All the above give me an unknown server response, except for shell54.com which blocks access to root.
The 'real' URLs come from the text part of the phishing mails.
Run for cover: where is my tinfoil hat?