Attack Library
DocuSign Impersonator Sends Bogus Tax-Related Email to Lure Target to Credential Phishing Website
By posing as a trusted brand and manufacturing a sense of urgency, an attacker hopes to deceive a target into providing sensitive information.
Attacker Compromises Vendor Account and Uses Confluence Page to Attempt Credential Theft
A threat actor masks a phishing link to a fake Microsoft login page in a Confluence notification sent from a compromised vendor account.
Threat Actor Poses as Vendor and Sends Fake QuickBooks Notification to Attempt Credential Theft
A threat actor fabricates a QuickBooks notification and sends a target a phishing link, purportedly to a password-protected overdue invoice.
Threat Actor Compromises Account of Construction Project Manager and Uses Content-Sharing Platform to Send Fake RFP
An attacker attempts to trick a target into revealing sensitive information by using a compromised email account and a legitimate content-sharing platform.
Attacker Impersonates Company Admin in Clever Credential Phishing Attempt
A threat actor uses a fake message delivery failure notification and fabricated authentication processes to try to convince a target to reveal sensitive information.
Credential Phisher Uses Legitimate Email Marketing Platform to Send Fake Voicemail Alert
After compromising a Constant Contact account, the attacker impersonates a law firm and sends a fake voicemail notification to attempt credential theft.
Threat Actor Poses as Microsoft and Leverages Open Redirect in Clever Credential Phishing Attack
After registering a legitimate Microsoft-based email account, an attacker sends a fake Microsoft voicemail notification to deceive a target into entering sensitive information.
Attacker Uses Compromised Email to Send Fake Microsoft OneDrive Notification in Credential Phishing Attack
A threat actor exploits the reputation of an established domain to send an email with an embedded image of a fabricated file-sharing notification linked to a phishing page.
Microsoft Impersonator Uses Malicious QR Code in Credential Phishing Attack
An attacker emails a fake password expiration notification with a malicious QR code linked to a phishing site.
PayPal Impersonator Uses Spoofed Email Hosted on Legitimate Domain to Attempt Credential Theft
An attacker mimics PayPal branding and uses an Outlook address with a spoofed sender name to compel a target to click a malicious link.
Vendor Impersonation Attack Utilizes Salesforce Link in Attempt to Steal Sensitive Information
After compromising a vendor’s domain, an attacker attempts to compel a target to click a phishing link disguised as a shared document.
Microsoft Impersonator Spoofs Voicemail Service and Uses QR Code in Attempted Credential Theft
By crafting an email that resembles a voicemail notification from Microsoft, an attacker hopes the target will scan a malicious QR code that leads to a credential phishing website.
Adobe Acrobat Sign Impersonator Sends Fake Document Notification Linked to Branded Office 365 Phishing Page
An attacker attempts to steal sensitive information using a fraudulent electronic signature request for a nonexistent NDA.
Attacker Uses Spoofed Domain to Send Fake Voicemail Notification Linked to Phishing Page
An attacker mimics a voice messaging service to lure a target to enter login credentials on a counterfeit landing page.
Threat Actor Sends Fake DocuSign Notification of Payroll and Benefits Update in QR Code Phishing Attack
An attacker attempts credential theft via a PDF attachment with DocuSign branding containing a QR code linked to a phishing site impersonating a Microsoft login page.
IRS Impersonator Sends Fake eFax Notification Regarding Tax Documents to Attempt Credential Theft
An attacker capitalizes on the inherent urgency of tax season and attempts to trick a target into clicking a malicious JPG to view purported tax documents.
Capital One Impersonator Creates Authentic-Looking Landing Page in Credential Phishing Attempt
Using a legitimate sending domain as a mask and a spoofed display name, an attacker pretends to be from Capital One’s customer service team to steal login credentials.
Vendor Impersonator Uses Cleverly-Designed Fake Microsoft Excel Spreadsheet to Attempt Credential Theft
After spoofing a legitimate domain, an attacker uses a fake password-protected financial document to steal sensitive information.
Threat Actor Impersonates Santander Consumer Bank in Credential Phishing Attack
An attacker poses as a bank representative and creates a sense of urgency regarding the target’s credit card to compel them to click an embedded phishing link.
PayPal Impersonator Uses Social Engineering and Masked Phishing Link to Attempt Credential Theft
A phisher uses a spoofed domain to send a malicious email that incorporates PayPal's branding and creates a sense of urgency around potential account closure.
Vendor Impersonator Uses Fake Invoice Notification In Credential Theft Attempt
By compromising a legitimate domain, an attacker hopes to entice the target to a credential phishing website where sensitive information like payment details can be stolen.
Phisher Impersonates Amazon and Reports Issue with Prime Membership to Prompt Target to Share Sensitive Information
Threat actor attempts to fraudulently obtain credentials and/or payment details using Amazon-branded PDF containing an embedded phishing link.
DHL Impersonator Spoofs Legitimate Domain to Send Fake Failed Shipment Notification in Phishing Attack
An attacker attempts to steal sensitive information by encouraging the recipient to use a masked phishing link to update their shipping address for a pending delivery.
Threat Actor Spoofs Legitimate Domain in Dual Credential Phishing Attack and Fake Billing Scam
An attacker attempts to steal login credentials and also reroute payments by sharing a fraudulent invoice behind a fake Adobe Acrobat login screen.
HR Impersonator Provides Fake Payroll Update in Credential Theft Attempt
By creating a sense of urgency and using official-sounding language, an attacker attempts to compel the target to click a phishing link purportedly related to payroll updates.
NDM Hospitality Impersonator Hijacks Email Thread in Convincing Credential Phishing Attack
An attacker compromises a vendor account and sends the target a fake Microsoft SharePoint link purportedly to a time-sensitive service agreement.
University HR Admin Impersonator Uses QR Code and Fake Microsoft Login Page in Credential Theft Attempt
Using official-sounding language, university branding, and a believable premise, an attacker attempts to steal sensitive information.
Attacker Compromises Legitimate Account and Embeds Phishing Link in Fake QuickBooks Payment Notification
Using a compromised email address, the threat actor sends a purposefully vague payment confirmation with an embedded phishing link.
Threat Actor Exploits Dynamics 365 Customer Voice in Phishing Attack Targeting Executive at Global Insurance Distributor
An attacker compromises an external account and embeds a phishing link in a Microsoft survey tool disguised as a document-sharing notification.
OpenSea Impersonator Creates Fake Landing Page in Sophisticated Credential Phishing Attack
After compromising a known domain, the attacker creates a fake landing page that mimics OpenSea’s official website and leverages social engineering to create a sense of urgency and persuade the target to take action.
Cleverly Designed Credential Phishing Attempt Impersonates Microsoft and Utilizes Authentic-Looking Fake Landing Page
Using a real domain as a mask, an attacker sends an image attachment with a QR code to entice the target to follow the link to reauthenticate MFA on a fake landing page.
Credential Phisher Utilizes Look-alike Domain and Fake Microsoft SharePoint Landing Page to Steal Sensitive Information
An attacker gets engagement from the target after discussing an RFQ and uses Microsoft survey forms to create a spoofed SharePoint link to appear legitimate.
Attacker Exploits Trusted Brands and Impersonates Financial Services Provider to Attempt Credential Phishing
In this credential phishing attack, the threat actor sends a fake invoice payment confirmation with a phishing link obscured using a URL shortener.
AT&T Mail Impersonator Uses Google Slides to Mask Link to Phishing Site Disguised as Login Page
A threat actor sends an account expiration notification with a link to a Google Slides presentation containing an embedded phishing link.
Attacker Compromises Account to Send Malicious Link to Fake Microsoft Login Page Designed to Steal Sensitive Information
After compromising a pro-manchester email account, a threat actor uses Monograph to host a malicious link that sends the target to a fake Microsoft login page.
Canada Post Impersonator Uses Japanese Domain in Credential Theft Attempt
A threat actor spoofs a Japanese domain and impersonates Canada Post to prompt targets to click on a credential phishing link.
Attacker Compromises New Jersey Department of Health Email Account and Sends Fake Document with Masked Phishing Link
After compromising the account, an attacker creates a fake document purporting to be a faxed invoice that includes a masked phishing link.
Chase Bank Impersonator Utilizes Google Drive to Send Masked Phishing Link Embedded in PDF Attachment
By creating a sense of urgency around unauthorized account activity and using a display name that includes "Chase Bank," the attacker aims to compel the recipient to take action.
PayPal Impersonator Uses PandaDoc to Send Fake Document in Credential Theft Attempt
An attacker claims to be from PayPal investigating a fraudulent transaction and requests sensitive information from the target to complete a verification process.
Trust Wallet Impersonator Combines Email Spoofing and Social Engineering in Credential Phishing Attack
An attacker attempts credential theft by impersonating Trust Wallet and sending a phishing link disguised as an account verification page.
Multi-Layer Instagram Impersonator Creates Several Fake Landing Pages in Sophisticated Credential Phishing Attempt
An attacker informs the target about copyright infringement and provides a fake form and login page to steal login credentials.
HR Impersonator Spoofs Healthcare Advisory Company to Attempt Credential Theft
Using a “two-bridge[.]com” domain as a mask, an attacker sends a credential phishing email disguised as an HR department update regarding approval of a new company handbook.
UPS Impersonator Uses Compromised Account in Credential Phishing Attempt
After compromising a legitimate domain, an attacker impersonates UPS and asks the recipient to verify shipping information via a phishing link.
Attacker Uses Adobe Acrobat’s File Sharing System in Cleverly Designed Credential Theft Attempt
After compromising the email account of a Vanguard Cleaning Systems employee, an attacker creates a legitimate-looking PDF with a masked phishing link to steal credentials.
MetaMask Impersonator Disguises Credential Phishing Attack as Know Your Customer (KYC) Verification
Using a legitimate Turkish domain, an attacker attempts credential theft by applying social engineering to convince a target their cryptocurrency wallet is at risk of suspension.
Amazon Customer Service Impersonator Uses Masked Phishing Link in Credential Phishing Attack
An attacker pretends to be from Amazon customer service and informs the recipient that their account is locked because of suspicious account activity.
Chatham Financial Impersonator Utilizes Masked Phishing Link in Fake Billing Scam
After compromising a domain, an attacker creates a fake Microsoft SharePoint attachment viewer in an attempt to steal money and sensitive information.
Sophisticated Credential Theft Attempt Features a Compromised Domain and Fake Landing Page
After compromising a legitimate domain, an attacker creates a fake landing page and impersonates an internal IT admin to attempt credential theft.
Multi-Layered Credential Phishing Attempt Features a Compromised Domain and a Masked Phishing Link
After compromising a Titan Worldwide domain, an attacker pastes previous conversations and a masked phishing link into an email in an attempt to steal sensitive information.
Likely AI-Generated Credential Phishing Attack Features Impersonation of Medicare Australia
An attacker pretends to be from Medicare Australia and informs the recipient that their Medicare services have been suspended due to insufficient contact information.
National Health Service Spoofer Compromises Domain and Sends Masked Phishing Link in PNG Attachment
An attacker uses a legitimate NHS domain and Microsoft SharePoint to trick a recipient into clicking on a masked phishing link and exposing sensitive information.
Bank of America Impersonator Utilizes Google Drive to Send Masked Phishing Link Embedded in PDF Attachment
By creating a sense of urgency around unauthorized account access and using a sending domain that includes "Bank of America," the attacker aims to compel the recipient to take action.
Attacker Utilizes DocuSign to Send Masked Phishing Link Embedded in a PNG Attachment
By using a legitimate document-sending service, the attacker is counting on the recipient to engage with the attachment and expose sensitive information.
U.S. Department of Agriculture Impersonator Attempts Credential Theft Via QR Code in PDF Attachment
An attacker attempts credential theft by spoofing the USDA with an official-sounding message and a PDF attachment containing a QR code that leads to a phishing site.
Spotify Spoofer Attempts Credential Theft with Fake Login Page
An attacker pretends to be from Spotify’s customer support, inquiring about updating payment details, and creates a legitimate-looking fake Spotify login page where sensitive information can be stolen.
Clever Credential Phishing Attempt Features Fake Microsoft Office 365 Password Change Link
An attacker embeds a malicious link into an image file that looks like a Microsoft Office 365 password change alert and includes official-sounding written disclosures to increase credibility.
Credential Phisher Impersonates Internal Company Admin to Steal Sensitive Information
Using a real domain from the company as a mask, an attacker informs the recipient of blocked emails and provides links to help resolve the issue.
Coinbase Impersonator Attempts Credential Theft by Claiming Account Restriction
Hiding the actual sending domain behind a display name of "Coinbase," an attacker spoofs Coinbase's customer support to steal sensitive information.
Robinhood Impersonator Attempts Credential Theft With Fake Withdrawal Notification
By leveraging a domain similar to official Robinhood communications, an attacker attempts to steal sensitive information by creating a sense of urgency.
Sophisticated Attacker Impersonates a Company Admin and Utilizes Microsoft-Branded QR Code in Attempted Credential Phishing
An attacker creates a fake Microsoft-branded QR code and landing page to compel the recipient to enter sensitive information.
Vacation Planner Impersonator Attempts Credential Phishing with Compromised Account
An attacker gains control of a vacation resort’s customer service email address and attempts to steal sensitive information after informing the recipient of a refund.
Apple Impersonator Creates Fake Landing Page in Credential Phishing Attempt
An attacker cleverly designs a fake landing page that mimics Apple’s legitimate website to entice the recipient to input sensitive information.
TSB Bank Impersonator Uses Look-alike Domain in Likely AI-Generated Credential Phishing Attack
An attacker utilizes an unregistered look-alike domain as a mask to impersonate TSB Bank and steal sensitive information.
Netflix Impersonator Likely Utilizes Generative AI in Credential Phishing Attack
An attacker takes control of a legitimate domain to impersonate Netflix customer support in a credential theft attempt.
Attacker Takes Over Established Domain in Likely AI-Generated Credential Phishing
An attacker breaks into an 21-year-old email account and links to a malicious IPFS gateway to steal sensitive information.
Amazon Spoofer Attempts Credential Phishing with Look-alike Domain
Using friendly language and a hidden malicious link, an attacker impersonates Amazon to steal sensitive information.
Sophisticated USPS Impersonator Attempts Credential Theft in Multi-Layered Attack
An attacker likely uses generative AI to create a fake automated USPS message about incorrect address information, including links to a fake USPS landing page.
Investment Opportunity Spoofer Offers Financial Services in Likely AI-Generated Scam
An attacker offers business financing options and promises commission for all successful referrals using a spoofed address.
Freight Company Impersonated in Likely AI-Generated Credential Theft Attempt
An attacker utilizes a close resemblance freight company DAT One's domain in a credential theft attempt.
Australian Government Spoofer Promises Tax Refund in Likely AI-Generated Credential Theft
An attacker pretends to be from the “Australian Taxation Office” to steal the victim’s login credentials by promising a tax refund.
Debt Collector Spoofer Attempts Credential Theft
An AI-generated attack impersonates a debt collector and creates a sense of urgency to attempt to steal personal information.
Likely AI-Generated Attack Attempts Credential Phishing
An attacker uses a generative AI tool to spoof an insurance company, hoping to steal login credentials.
AI-Generated Credential Theft Attempted via Internal Company Impersonation
By leveraging urgency, an attacker sends an internal company communication in an attempt to steal credentials.
Kraken Exchange Spoofer Attempts to Steal Login Information
An attacker impersonates a popular cryptocurrency exchange and creates a fake website to steal login credentials.
Attacker Impersonates Apple to Request Billing Details
Using a cleverly disguised no-reply domain, an attacker poses as Apple customer support in an attempt to get billing details and other sensitive information.
Ivy League Health Director Compromised in Monkeypox Scare Spoof
By leveraging a recent public health crisis and targeting universities, the attacker hopes to elicit immediate action and steal email credentials.
Attempted Payment Fraud Using Lookalike Domain and Real Invoices Targets Manufacturing Company
Attackers pose as existing vendors and use lookalike domain and real invoices in attempt to fraudulently update payment information.
Phishing Attack Disguised as Notification Informing VP Storage Capacity Limit Exceeded
Attackers disguise phishing email to VP at financial institution as notification that full storage capacity has been reached and emails will no longer be delivered.
Fake Email Account Deactivation Notice with Phishing Link Targeting Online Retailer
Attackers pose as the internal support team at an online retailer and claim the recipient's email account has been queued for deactivation in an attempt to steal credentials or install malware.
Brand Impersonation Phishing Attack Targets VIP Using Fake Zoom Meeting Invite
This phishing attack leverages brand impersonation in an attempt to trick a VIP into clicking on a phishing link disguised as a Zoom meeting invite.
Phishing Attack Impersonates Real Estate Agent Sending Fake Document Notification to Lawyer
This phishing attack impersonated a real estate agent using dotloop, a real estate transaction management software, to trick the recipient into visiting a phishing website.
Credential Phishing Attack Poses as a Secure Message Shared by the IRS
This link-based attack impersonated the IRS using the pretext of sharing a secure ShareFile message that led to a phishing site designed to steal email credentials.
Phishing Attack Impersonating FedEx Steal Personal and Financial Data Using Captcha Protection and MFA Bypass
This phishing attack impersonated FedEx using a fake shipping notification pretext to direct a recipient to a captcha-protected phishing page created to steal personal and financial information using MFA bypass tactics.
Phishing Attack Uses Pretext of Shared Tax Documents to Steal Employee Credentials
This link-based attack incorporated a fake file attachment posing as shared tax documents that led to a phishing page meant to steal email credentials across multiple email providers.
Email Poses as an Incoming ACH Payment with HTML Attachment Leading to Branded Credential Phishing Page
This payload-based attack posed as a fake incoming ACH payment masked as an automated email from an internal company system, which contained an HTML attachment that led to a branded phishing page intended to steal the recipient’s credentials.
Phishing Attack Steals Credentials by Imitating HR Request to Review New Employee Handbook
This link-based attack imitated a company human resources email that announced the release of a new employee handbook, which included a link to a phishing page meant to steal an employee’s name and email credentials.
Payload Credential Phishing Attack Poses as an HR Announcement About New Employee Benefits
This payload-based phishing attack posed as an announcement from the company human resources team about updates to the company’s employee benefits package and requested the recipient review a supposed updated handbook, which actually opened a phishing page to steal account credentials.
Response-based Phishing Attack Impersonates CFO to Compromise Australian myGov Credentials
This attack impersonated a company CFO using a pretext of employee rewards and recognition to solicit a response leading to a request for Australian myGov credentials.
Credential Phishing Attack Poses as an Automated Aging Report Notification
This payload-based attack posed as an aging report being shared by an automated internal system that contained an HTML attachment leading to a credential phishing page.
Multi-Stage Credential Phishing Attack Uses Office365-themed PDF Attachment and Legitimate Adobe Hosting Infrastructure
This payload-based attack contained a Office365-themed PDF attachment with an embedded link to a legitimate Adobe page, which included another link to a final credential phishing page.
Credential Phishing Attack Poses as a Security Update to Enable End-to-End Encryption
This link-based credential phishing attack disguised itself as a security update to add end-to-end encryption on all employee devices.
Attack Impersonating Compromised Third-Party to Share Document Leads to OneDrive Phishing Page
This link-based attack exploited the compromised account of an external third-party to make it appear that a vendor was sharing a link to a document about new dues, when the link actually led to a OneDrive phishing page to steal credentials.
Credential Phishing Attack Masquerades as an Employee Training Invoice
This payload-based credential phishing email employed bypass tactics, including a hidden sender address and obfuscated text, to pose as an invoice for employee training.
Credential Phishing Attack Poses as a Location-based Security Alert
This payload-based credential phishing attack sent from a self-addressed spoofed email address posed as a security alert, indicating the user’s data had been accessed from a suspicious location and an HTML attachment needed to be reviewed or else their account would be locked.
Employee Sales Award-themed Credential Phishing Attack Impersonates Square
This link-based phishing attack impersonating Square used a pretext of an employee sales award to compromise account credentials.
Payload Credential Phishing Attack Incorporates a Tax Refund Theme
This payload-based attack was sent to a company executive using a tax refund theme as a pretext to get them to open an HTML file attached to a blank email, which led to a company-branded credential phishing page.
Executive Targeted in Attack Posing as Fake Financial Documents Distributed via SharePoint
This payload-based credential phishing attack targeted an executive with an email posing as financial documents shared via SharePoint and used foreign character substitution to bypass detection.
Executive Targeted in a Self-Addressed Escrow-Themed Credential Phishing Attack
This payload-based credential phishing attack sent from a self-addressed spoofed email account targeted an executive posing as a real estate document.
DocuSign Phishing Email Uses Fake Payroll and Retirement Worksheet to Steal Credentials
This payload-based credential phishing attack impersonated DocuSign and requested that recipients review employee payroll and retirement documents contained in an attached HTML file.
Credential Phishing Attack Poses as Executive’s Bonus Document
This payload-based credential phishing attack targeted an executive posing as an attached document needing review before receiving a company bonus.
Microsoft Password Expiration Pretext Used in Credential Phishing Attack
This phishing attack impersonates Microsoft using a password expiration theme to steal credentials via a malicious link.
Australian Tax Office Impersonated in Funds Transfer-themed Phishing Attack
This attack impersonates the Australian Taxation Office with a payment transfer theme and asks the recipient to validate their identity by leading them to a phishing page contained within an HTML attachment.
Wells Fargo Home Mortgage Payoff Quote Contains Credential Phishing Attachment
This attack impersonates Wells Fargo using a spoofed email address and a home mortgage payoff theme to steal credentials via an HTML attachment.
Blank Self-Addressed Spoofed Email Leads to Convincing Credential Phish
A spoofed email impersonates a settlement release in order to trick recipients into opening a phishing attachment.
Credential Phishing Email Tricks Employees Using Company HR Policy Changes
Attackers impersonate the human resources team to inform employees of salary increases, luring them to follow phishing links.
Adobe Acrobat Secure Fax Link Leads to Dropbox-Hosted Phishing Website
An attacker email containing an image of an Adobe Acrobat fax link leads to a phishing website hosted on Dropbox infrastructure.
Employee Benefits Eligibility Lure Used to Phish for Email Credentials
Attackers impersonate the HR department to deliver an updated Employee Benefits Eligibility Policy as part of a credential phishing attack.
DHL Fake Shipping Notification Used in HTML Credential Phishing Attack
Attackers impersonate DHL and ask the recipient to check their shipping documents, hidden behind a fake Microsoft 365 credential phishing page.
Paid Invoice Notification Used for Credential Phishing Attack
Attackers use an external compromised vendor account and a receipt confirmation to trick recipients into providing their Microsoft 365 credentials.
Fake Encrypted Secure Message Spoofed in Credential Phishing Attack
Attackers send what appears to be an encrypted message, similar to what you might receive from your bank, to trick recipients into providing Microsoft 365 login information.
Payroll Impersonation Designed to Elicit Quick User Response in Credential Phishing Attack
Attackers impersonate an encrypted Microsoft email focused on paystub registration to steal Microsoft 365 credentials.
DocuSign Brand Impersonation Leads to Credential Phishing Attacks
Attackers use well-known document management service DocuSign to trick users into providing Outlook login credentials.
Office 365 Image Evades Text Analysis in Credential Phishing Attack
Attackers rendered an Office 365 email as a single image file with an accompanying credential phishing link wrapping the image.
Salary Increase Update Sent to Steal Employee Credentials
Attackers impersonate the company payroll department to send a wage update that takes users to a OneDrive phishing page and steals Microsoft 365 credentials.