We just launched something we've wanted to do for a long time.
Attack of the Day is a new threat intelligence series where we publish real phishing attacks caught by IRONSCALES, one at a time, with full technical breakdowns. Not hypotheticals. Not simulations. Actual attacks that landed in real inboxes, bypassed real defenses, and got caught by our Adaptive AI and the 35,000+ security professionals in our threat intelligence community.
We announced the series at RSAC 2026 alongside the debut of our new AI agents, and the response has been strong. Turns out security practitioners actually want to see what's hitting inboxes right now, not a vendor blog post about "the evolving threat landscape." (Shocking, I know.)
This weekly recap, "Best of the Worst," is the companion piece. Every Friday, I'll summarize the attacks we published that week, call out the patterns worth tracking, and spotlight the one attack that made me stop scrolling. Think of it as your Friday afternoon briefing on what attackers were up to this week.
Since this is the first edition, I'm covering everything we've published since launch. Here's what 12 Attack of the Day posts look like in aggregate.
Between March 15 and March 26, we published 12 attack breakdowns.
Here's what jumped out.
Authentication means nothing to attackers anymore. The majority of these attacks passed SPF, DKIM, and DMARC checks. That's not a flaw in those protocols. They're doing exactly what they were designed to do: verify that the sending infrastructure is authorized. The problem is that attackers have figured out how to send from authorized infrastructure. They abuse legitimate SaaS platforms, compromise real accounts, and register lookalike domains with proper DNS records. Your email gateway sees a clean authentication header and waves it through.
Platform abuse is the new playbook. Multiple attacks weaponized trusted infrastructure: Amazon SES, ActiveCampaign, Cisco Secure Web, Azure, and others. The attackers are renting legitimate tools and riding their reputations past your filters (not building phishing servers from scratch).
Credential harvesting dominates everything. Nearly every post involved credential theft. BEC and payment fraud showed up too (including a French-language campaign that weaponized ActiveCampaign to harvest credit cards), but the overwhelming play is still "steal the password, own the account, move laterally."
Redirect chains are getting longer. Several attacks used multi-hop redirects to launder malicious URLs through trusted domains. One campaign bounced through SafeLinks, then Cisco Secure Web, then a compromised domain before landing on the credential harvesting page. By the time a scanner follows all three hops, the page has already served its payload and gone dark.
Finance and education are in the crosshairs. Financial services roles (CFOs, controllers, AP/AR teams) showed up repeatedly as targets. Education got hit too, including the attack I'm about to walk you through.
Of everything we've published so far, the attack that targeted a K-12 school district stood out. Not because it was the most sophisticated (some of the redirect-chain attacks were more technically complex), but because it exposed a fundamental gap that affects every organization relying on email authentication as a security layer.
The attack abused a legitimate nonprofit fundraising platform called GivingFunder. The attacker sent emails from the platform's real infrastructure, which meant SPF passed, DKIM passed, and DMARC passed. Every authentication check came back clean. The subject line ("Thank you for your application") was simple and professional. The body was sparse on purpose: a dark header reading "You're Eligible to Continue," a few lines about an active account, and a green "Review & Continue" button.
The real story was in the URLs. The call-to-action didn't link back to GivingFunder. It routed to jdkeusy[.]com, a privacy-protected domain registered months earlier with no visible web presence. The URLs used OpenSSL-encrypted tokens (you can spot them by the U2FsdGVk Base64 prefix, which decodes to "Salted__"). Each recipient got a unique, single-use link, which makes blocklist-based detection almost useless.
The target was a staff member at a public school district. No prior relationship with the sender. First-time contact from an external domain. The kind of signals that behavioral analysis catches immediately, but authentication headers ignore entirely.
Our Adaptive AI flagged it at 88% confidence. The community had already seen the sender fingerprint and link pattern across other organizations. What looked like a novel attack to this school district was already classified across our network.
This is the core problem with treating authentication as trust. SPF, DKIM, and DMARC verify that the sending server is authorized for the domain. They say nothing about whether the content is malicious. When attackers can register accounts on legitimate platforms and send phishing through those platforms' authenticated infrastructure, the entire gateway model breaks down.
For education institutions running lean security teams (and that's most of them), the gap is especially painful. The K-12 Cybersecurity Resource Center documented over 300 publicly disclosed cyber incidents affecting U.S. school districts in 2024 alone. These organizations can't staff a 24/7 SOC. They need security that works autonomously.
I'll be back next Friday with the next Best of the Worst, covering everything we publish between now and then. If you want the daily breakdowns as they drop, subscribe to Attack of the Day in our Threat Intelligence section.
And if you're curious how many phishing emails are getting past your current defenses right now, our SEG calculator can give you a number. Fair warning: it's probably higher than you think.