Every week, we publish real phishing attacks caught by IRONSCALES in our Threat Intelligence series. Not simulations. Not theoretical scenarios. Actual incidents from real inboxes, with full technical breakdowns of what happened, why the attack worked (or nearly worked), and what defenders should watch for.
This is the second weekly roundup. It covers five attacks published the week of March 29 through April 3, 2026.
The first thing that jumped out: these five cases don't just share a threat category. They share an operating principle. In every case, the attacker deliberately leveraged legitimate infrastructure or security tooling as part of the attack chain.
Not to bypass the tools. To use them.
Three of this week's five attacks involved security or platform infrastructure being turned into camouflage. Not bypassed. Used.
In The Security Tools That Became the Camouflage, attackers routed a malware payload through two layers of legitimate vendor URL wrapping: TitanHQ link-lock and a Cisco secure-web redirect. URL scanners evaluating the link saw vendor domains at every hop and stopped looking. The actual destination, a .in domain with a broken TLS certificate flagged as malware, was invisible behind the outermost wrapper.
In When the Safety Wrapper Becomes the Disguise, Microsoft Safe Links rewrote a phishing URL on delivery, replacing a suspicious is.gd shortener with a Microsoft-branded safelinks.protection.outlook.com wrapper. The security feature designed to protect the recipient became the visual proof that the link was "safe."
And in Microsoft Bookings as a Weapon, attackers sent phishing through the actual Microsoft Bookings platform. SPF passed. DKIM passed. DMARC passed. The only signal that something was wrong was an ARC chain failure at hop 2, a header most security tools never check.
When the scanner evaluates a link and sees a known-good vendor domain, it has been taught (by the attacker) to stop looking.
Every attack this week passed at least some authentication checks. All five achieved SPF or DKIM pass. Four out of five passed DMARC. The exception was the most technically revealing case of the group. In SPF Passed. DMARC Passed. DKIM Didn't., a BEC email requesting ACH routing details and a signed W-9 passed SPF and DMARC but failed DKIM body-hash verification. That specific failure means the message body was modified after the original sender signed it. The relay chain ran through Proofpoint and Barracuda before hitting Microsoft Exchange. Somewhere in transit, the content changed. Most email security stacks treat "DMARC pass" as a green light. This case shows why that shortcut is dangerous: DMARC passed on the strength of SPF alone, while the one check that actually validates body integrity (DKIM body-hash) was screaming that something was wrong.
And then there was the attack with no technical payload at all. No malicious URL, no attachment, no credential harvest page, no malware.
The entire payload was a phone number.
A Google Calendar invite arrived on a Tuesday afternoon at a mid-size technology company. Subject line referenced a transaction. RSVP buttons. Google logo at the top. Below the invitation metadata: a billing notice for "CoreDefense Plus," $399.77 charged. "If you didn't make this purchase... call our customer care representative (808)-321-8085 (Toll Free)."
The links in the email pointed to calendar.google.com. They scanned clean, because they were clean. The .ics attachment contained no executable code, no embedded URLs, no alarm actions. Attachment sandboxes returned a clean verdict.
DKIM passed, because Google signed the message from its own infrastructure. The domain, scoolsd[.]com, was registered the same morning the email was sent. No SPF record. No reputation. No history. But that didn't matter to the URL scanners, because there were no URLs to scan.
This is callback phishing, also known as Telephone-Oriented Attack Delivery (TOAD). The FBI's 2024 Internet Crime Report puts BEC and related fraud at over $2.9 billion in U.S. losses, with phone-based social engineering a significant and undercounted contributor. The model is simple: create financial urgency, provide a phone number, and wait for the victim to call. On the other end is a live operator ready to extract credentials, payment details, or remote access.
The attack is specifically engineered to be invisible to every automated control in a standard email security stack. URL reputation checks had nothing to evaluate. Sandbox detonation found a clean .ics file. DKIM returned pass. The charge amount ($399.77) is high enough to trigger urgency but plausible enough for a software renewal. The fake product name mimics legitimate antivirus software. The toll-free number is cost-free to operate at scale.
Themis flagged this incident based on the combination of the freshly-registered domain, the absence of any SPF policy, behavioral patterns in the invite content consistent with financial-urgency social engineering, and community-level intelligence from similar vishing campaigns across the IRONSCALES platform.
Zero-link vishing doesn't fail against well-tuned URL filtering or mature sandboxing. It doesn't need to. It bypasses those controls by design.
See Your Risk: Find out how many threats like this your current security stack is missing
The five attacks we published this week are different in their mechanics but identical in their thesis: the tools and platforms your organization trusts are the attack surface.
A few concrete takeaways:
Attack of the Day publishes daily in our Threat Intelligence section. Next week: more attacks, more trends, more reasons to question whether your current stack is seeing what it needs to see.