The World Cup Email Your Employees Will Actually Fall For | IRONSCALES

Your employees are not going to fall for a fake ticket site. Most of them, anyway. The fake FIFA storefronts and crypto-only "hospitality packages" flooding social media right now are aimed at fans, and the security press has covered them thoroughly.

The email that lands in your employee's work inbox looks different. It looks like this one.

A bracket challenge from "The People Team." A prize for getting picks in before the first match. Branded, friendly, internal-looking, and arriving during a five-week window when every office on the continent is running some version of a World Cup pool. Nobody forwards that to security. They click.

That email is one of our phishing simulation templates, which I'll come back to. But it's modeled on what's actually happening. Arctic Wolf researchers found attackers targeting the organizations around the tournament, including fake career sites built to steal Google Workspace credentials and a weaponized "employee handbook" PDF sent to staff at a host city. The FBI issued a public service announcement in May about spoofed FIFA infrastructure. The fan scams get the headlines. The enterprise lures get the credentials.

BTW - it doesn't matter whether or not your company has anything to do with soccer. Event-themed lures don't check your industry. HR prediction pools, travel and expense policy updates for host cities, vendor hospitality offers, "stream the matches from your desk" perks. Every one of those is a credential harvest or payload delivery wearing a World Cup jersey, and every one of them works better between June 11 and July 19 than at any other time.

Why [your] filters will pass on most of this

The volume numbers are big. Arctic Wolf counted more than 10,000 World Cup-themed malicious domains registered since January. Other researchers counting more broadly put it at 19,000. But the number that should change how you think about this is smaller.

Group-IB mapped 4,300 fraudulent domains impersonating FIFA's web presence and found that only about 300 are actively running fraud. Roughly 3,800 are parked. Dormant. Registered as far back as August 2025 and sitting quietly, waiting for the knockout rounds.

Think about what that does to reputation-based detection. A domain registered ten months ago has aged past every "newly registered domain" rule you have. It has no spam history, no malware detections, no blocklist entries, because it hasn't done anything yet. The day it activates, it walks past domain-age checks and reputation scoring with a clean record. By the time threat feeds catch up, the campaign has rotated to the next batch of pre-aged infrastructure. (The attackers running these operations even have backup plans for their backup plans: Group-IB found four redirector domains registered the same day on the same IP, built specifically to survive takedowns.)

The sophistication doesn't stop at domain aging. One Chinese-speaking operator Group-IB tracks as GHOST STADIUM runs 300+ domains from a single phishing kit that clones FIFA's official PingIdentity SSO login flow with near pixel-perfect fidelity (the same playbook works for cloning your M365 login). Arctic Wolf documented attacker-in-the-middle phishing and QR-code lures in the same campaigns, both designed to sidestep link inspection entirely.

So the signature-and-reputation stack sees an aged domain, a clean sending history, a well-formed email, and a login page that looks exactly like the real thing.

What's left to catch it is behavior and intent.

- Does this sender have any history with the recipient?
- Does an HR prize announcement normally route through an external domain?|
- Is this login page asking for credentials it has no business collecting?

That analysis happens at the message and mailbox level, which is exactly where our Adaptive AI and Phishing SOC Agent analysis live. It's also why this class of attack shows up so reliably in the teardowns we publish from real customer inboxes.

What others are reporting

A quick sweep of the related news, because the research community has been busy. Group-IB's GHOST STADIUM report estimates $71M to $474M in losses from premium ticket fraud alone and identifies four independent threat actors, including a phishing-as-a-service supply chain selling pre-built World Cup fraud kits. Arctic Wolf documented the AitM, QR-code, and infostealer campaigns mentioned above. The FBI's IC3 alert covers FIFA website spoofing. Unit 42 flags ticketing scams, impersonation, and QR fraud as the most widespread risks. Kaspersky has even spotted $500,000 fake "grant" emails themed on the tournament. None of this is new behavior. Qatar 2022 drew 16,000+ scam domains and fake ticket apps in the Google Play Store. Paris 2024 saw one operation alone run 700+ fake ticketing domains, and French authorities took down 338 fraudulent ticket sites before the games. The infrastructure pattern repeats every cycle.

Test your people while the lure is live

Awareness training lands hardest when the simulation matches what's actually arriving. A generic password-reset simulation in June 2026 tests yesterday's threat. A World Cup bracket challenge tests this month's.

IRONSCALES customers can launch this in about three clicks. The Office World Cup Challenge email above is an example of our pre-built recommended campaigns, which come with the simulation email, landing page, training module, and send schedule already configured.

Pick the campaign, preview the content, launch. (Our Phishing Simulation Agent takes this further by using the same OSINT reconnaissance attackers use to build lures specific to your organization and your highest-risk employees, but for an event-driven moment like this, the recommended campaign is the fastest path.)

If you're building your own, these themes mirror the in-the-wild activity:

• The office prediction pool. HR or "People Team" sender, bracket challenge, prize for early picks. Credential harvest behind the "submit your picks" link.
• The travel policy update. "Updated T&E guidance for employees traveling to host cities." Attachment or link, urgency built in for anyone with summer travel booked.
• The vendor hospitality offer. A partner or supplier "sharing" premium match tickets. Mirrors the compromised-vendor lures we see year-round, with a seasonal hook.
• The streaming perk. "IT has licensed match streaming for all employees, log in to activate." Especially effective because employees are already hunting for ways to watch at their desks.
• The FIFA account alert. Password reset or "suspicious ticket transfer" notice spoofing FIFA's SSO flow, the exact pattern GHOST STADIUM runs at scale.

Running it in Microsoft 365: the 2026 version

We published a step-by-step for this during the Paris Olympics. The wizards (there are 11 of them, yeah...just to launch a phishing simulation) has changed enough since then that following the old screenshots will get you lost, so here's the current flow.

You'll need Microsoft Defender for Office 365 Plan 2 (included in M365 E5) to use Attack simulation training.

1. Open the wizard. In the Microsoft Defender portal (security.microsoft.com), go to Email & collaboration > Attack simulation training > Simulations tab, then Launch a simulation.
2. Select technique. Credential Harvest fits the World Cup themes above. Note the newer options here too. OAuth Consent Grant and QR-code payloads now have first-class support, and QR simulations get their own reporting.
3. Name the simulation. Use something your team will recognize when the helpdesk tickets start ("WC2026-BracketChallenge-Q3" beats "Test 4").
4. Select payload and login page. Microsoft's global payload library still won't have a World Cup theme, so create your own under Tenant payloads. You'll pick the sender, subject, phishing URL (Microsoft provides a list of simulation domains), and body. Dynamic tags let you drop in the recipient's first name, department, or manager to raise believability. The Predict Compromise Rate button scores your payload before you commit.
5. Target users. Start with a small pilot group before going org-wide. Filter by department, city, or group membership.
6. Exclude users. This is now its own wizard step. Carve out executives mid-deal, employees on leave, or anyone else who shouldn't get the test.
7. Assign training. Microsoft assigns its own training modules to users who fail, with a due date of 7, 15, or 30 days. You're limited to Microsoft's catalog here.
8. Select the phish landing page. The page users see after they take the bait. Use a built-in page or create your own under Tenant landing pages.
9. Configure notifications. Training assignments, reminders, and a positive reinforcement notification for users who report the simulation (a welcome addition since our last writeup).
10. Set launch details. Launch now or schedule, and set the simulation duration. With the group stage underway, sooner beats later.
11. Review and launch. Confirm the summary, send yourself a test first, then launch.

It works, and it's thorough. Did I already say that it's also eleven wizard pages, a custom payload build, and a training catalog you can't customize, which is the honest trade-off against a three-click recommended campaign. Run whichever your team can actually execute this week, because the window is open now.

The calendar already tells you when this happens next

The tournament ends July 19. The dormant domains will burn down or rotate, the bracket-pool lures will stop landing, and this wave will fade. Then the 2028 Los Angeles Olympics enter the registration window, and CISA has already named that event (along with next year's Freedom 250 celebrations) as the next major-event security lift.

Event-driven phishing is one of the few threats that RSVPs in advance. Attackers registered World Cup domains ten months before kickoff. You get the same calendar they do. The difference between organizations that ride these waves out and organizations that get soaked is whether anyone acts on the calendar before the lures arrive. One anticipates. One investigates. One educates. That's how we built our agents, and it's a decent model for your security program too.