Attack Library
Salesforce Sites Redirect Chain Phishing Uses SendGrid Wrapper and Bot Verification Protection
A phishing attack impersonates business platform access notifications using SendGrid link wrapper and Salesforce Sites redirect chain with Cloudflare Turnstile protection to bypass detection systems.
Multi-Stage Cloudflare Workers Phishing Uses Compromised Account and Legitimate Platforms
A phishing attack uses a compromised third-party account to deliver financial-themed emails linking to legitimate platforms that redirect through Cloudflare Workers infrastructure to hide phishing sites.
University Credential Phishing Attack Leverages Compromised Domain and No-Code Platform
A phishing attack uses a compromised account to send university emails linking to credential harvesting forms hosted on the legitimate no-code platform Jodoo.com.
Google DKIM Replay Attack Uses Legitimate Infrastructure for Legal Subpoena Phishing
A phishing attack abuses DKIM replay techniques to bypass security filters while impersonating Google Legal Investigations Support using legitimate Google Sites hosting and spoofed authentication.
QR Code in Fake Benefits Handbook Links to Phishing Site
A phishing email impersonates HR and shares a fake employee benefits handbook. The attached file contains a QR code that links to a credential harvesting site.
Phishing Email Uses Dropbox Bait and AWS App Runner to Host Webmail Login Scam
An attacker impersonates a project manager to deliver a Dropbox file link that leads to a fake webmail login page hosted on AWS App Runner.
Fake Box Document Preview Redirects to Microsoft Login Phish
A phishing email disguised as an RFP links to a spoofed Box document preview, ultimately redirecting users to a fake Microsoft login page for credential theft.
Fake GitHub Alerts Trick Developers Into Granting OAuth Access
Attackers exploit GitHub Issues to send fake security alerts and abuse OAuth apps to hijack developer accounts without stealing passwords.
Gamma-Hosted File-Sharing Phishing Attack Uses Cloudflare Turnstile to Evade Detection
A malicious email links to a Gamma-hosted presentation that redirects to a Cloudflare Turnstile-protected phishing page impersonating Microsoft to steal credentials.
Threat Actors Leverage PandaDoc and Dropbox to Deliver Decoy File and Phish for Microsoft Credentials
Attackers use PandaDoc and Dropbox links to disguise credential phishing behind a decoy document and bypass secure email gateways.
Phishers Spoof Netflix and Send Fake Account Closure Notice to Steal Sensitive Information
Attackers impersonate Netflix and manufacture a sense of urgency to trick employees into clicking a malicious link.
Attackers Leverage Fake Zoom Invites to Deliver Remote Access Tool During Tax Season
A phishing email disguised as a Zoom invite tricks targets into downloading ScreenConnect, giving attackers remote access to the target's computer.
Job Application Lures Use Dropbox-Hosted Resume to Deliver Remote Access Trojan
A fake CV hosted on Dropbox delivers a multi-stage VBS loader, ultimately dropping Remcos RAT after geofencing and sandbox checks.
Fake Amazon Web Services Billing Notification Used in Credential Theft Attempt
Attackers impersonate Amazon Web Services and deceive targets into visiting a phishing site under the guise of viewing a billing statement.
QR Code Phishing Attack Uses Embedded MHT Files in Payroll-Themed Documents
A salary-themed phishing email delivers a DOCX file with an embedded MHT and hidden QR code that leads to a phishing site.
Cybercriminals Send Fake PayPal Security Alert from Spoofed Address to Steal Account Details
By impersonating PayPal and claiming an account update is required, attackers hope to deceive targets into visiting a phishing page and providing login credentials.
Attackers Mimic ADFS Login Pages to Steal Credentials and Bypass MFA for Account Takeover
A phishing email spoofing IT notifications leads users to a fake ADFS login page, capturing credentials and MFA tokens to enable account takeover.
Citibank Impersonators Send Fake Account Update Alert from Spoofed Address in Credential Phishing Attempt
Attackers mimic Citibank security alerts to trick users into visiting a fake login page and divulging sensitive information.
Attackers Impersonate Coinbase and Send Fake Binance Payment Notification in Cryptocurrency Scam
Claiming the recipient has passively earned thousands of dollars in Bitcoin, threat actors attempt to deceive them into visiting a malicious credential-harvesting site.
Adaptive Phishing Attack Uses Whimsical and Lucid to Deliver Microsoft 365 Credential Phish
A phishing campaign uses a trusted vendor account and design platforms Whimsical and Lucid to deliver a fake Microsoft 365 login and steal user credentials.