Attack of the Day Teardown Archive
Every published Attack of the Day teardown, newest first. Each entry links to the full analysis.
2026
- A Trusted Domain, a Voicemail, and a Windows .EXE
- It Passed SPF, DKIM, and DMARC. It Was Still a W-2 Heist.
- A Fake Malwarebytes Renewal, Signed by Google
- Authenticated at Delivery, Forged at Origin
- The Phishing Kit That Rode In on a Calendar Invite
- The Encrypted PDF Your Scanner Trusts Is Hiding the Link It Cannot Read
- The Email With Nothing to Scan: A 1 MB HTML Attachment That Renders Its Own Phishing Page
- The Compliance Notice That Borrowed the Government's Words and the Carrier's Own DOT Number
- The OneDrive Share Notice Everyone Clicks, Undone by the Attacker's Own Broken Template
- The Name You Trust, the Domain You've Never Seen: A Photo Lure That Passed Every Auth Check
- A Phishing Link Wearing Two Security Vendors' Badges: Inside a Benefits-Enrollment Credential Lure
- When Authentication Passes and Malware Still Walks In: A PE Hidden Inside an Inline PNG
- The File Format Your Gateway Forgot: EPS Macros Hidden in a Logo ZIP
- The Payroll Memo Whose Link You Could Not Scan: QR Code Quishing Buried in a Word Attachment
- One Hyphen From Trusted: A Lookalike-Domain Vendor Impersonation That Beat the Eye and the Authentication Stack
- Four Days Old, Fully Authenticated: CEO Coaching International Impersonation Targets a Sports Technology Company
- Full Authentication Pass, Zero Legitimacy: How a 26-Day-Old Domain Ran ACH Fraud
- Seized and Still Dangerous: IP-Literal Download Link, Netlify Credential Page, and a VIP Target
- Legal Threat in Your Inbox: How a Gmail Shortlink Hides a Credential-Harvest Destination
- Forged Healthcare Sender, Two-Hop SaaS Redirect: How a Fake Invoice Opens a Phishing Chain
- A Construction Bid Invitation Hid a Compromised Website Behind a Legitimate-Looking PDF Label
- A Compromised Vendor Account Sent an ACH Redirect With a Fabricated Closure Deadline and Mismatched Phone Numbers
- A Free Gmail Account Impersonating an Internal Employee Asked Payroll to Change a Bank Account
- A One-Line Curiosity Hook Sent a K-12 Teacher to a Same-Day Phishing Domain on Port 8443
- A Fake Scotiabank Voicemail Was Actually an HTML File Asking You to Call an Attacker
- re: plans for party -- How a Compromised Argentine School Account Targeted K-12 in the U.S.
- Three Security Wrappers, One Redirect to a Google Docs Phishing Page
- The Government Card Alert That Lost Its Authentication in Transit
- The Law Firm Document That Linked to a Cleaning Company
- The Invoice Portal Link That Didn't Need a Password
- The Invoice That Originated from the Wrong Continent
- The Distribution Agreement That Arrived with a Thread Full of Latin
- An Employment Verification Request That Passed DMARC REJECT, Then Sent Replies to Someone Else
- A Medicare Attestation Request Sent Through Salesforce, Authenticated by the Victim's Own Domain
- The FedEx Freight Invoice That Came From Inside the CRM
- The Geek Squad Invoice That Forgot Which Brand It Was Pretending to Be
- The Invoice Email With No Text to Scan: Image-Only Payload From a Compromised Account With a Broken ARC Chain
- The Google Forms Editor Invite That Matched the Recipient's Name: Property Tax Survey as Social Engineering Pretext
- Microsoft's Own Message Recall Agent Delivered a Credential Harvest
- NetSuite Sent the Invoice. Oracle Signed It. The Payment Token Was the Weapon.
- Four Domains, One Email: The DocuSign Homoglyph That Rode a CDR Allow-List
- The Funding Approval That Passed Every Authentication Check
- The PDF That Passed Every Scan Without Being Read
- A Voicemail That Never Rang: How Attackers Chained Three ESPs to Launder Email Authentication
- The Fire Safety Spec That Was Hiding Malware for Five Months
- SPF Pass, DKIM Pass, DMARC Pass. Still Phishing.
- McAfee Invoice Scam Weaponized a Google Calendar Invite 71 Minutes After Domain Registration
- Three Google Domains, One Redirect Chain, and a Turkish Landing Page
- The $47,320 Invoice That Came With a W-9 and a Personal Bank Account
- The Collections Notice From a Fortune 500 Lab: Compromised Thermo Fisher Account via Oracle Cloud Relay
- The Contract Email That Wasn't Spelled the Way You Think: Unicode Homoglyphs, a QR Code, and a Marketing Gateway
- The Zoho Sign Request That Passed Every Check Except the Reply-To: Government Impersonation via E-Sign Infrastructure
- The FedEx Email That Salesforce Authenticated and Qualtrics Delivered: Data Harvesting Through Three Layers of Trust
- The SOC Alert That Came From a Compromised FinTech: An Authenticated BlueVine Sender Delivering a Typosquat Link Buried in Operational Context
- The Datadog Alert That Came From the Wrong Domain: Authenticated Brand Impersonation With All Links Pointing to Real Infrastructure
- The Password Reset That Came From an Auth0 Dev Tenant
- The Warranty Form With a Windows Executable Hidden Inside a GIF
- The SharePoint Share That Passed Every Check: A Compromised M365 Tenant With DMARC Reject and Tokenized Links
- The Webinar Invite That Came With an Apple Wallet Pass and a Three-Hop Redirect Chain
- The Spreadsheet That Arrived Twice: CR/LF Filename Obfuscation and a Base64 Shadow Payload
- The Bank Statement You Had to Unlock With Your Birthday: PII-Gated PDF Evasion From Authenticated Infrastructure
- The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion
- Amazon Said You Owe $879. The Phone Number Was the Payload.
- The .com That Wasn't the .org: TLD Confusion in a Payroll Email With an Empty Body
- The Spreadsheet With No Macros and One Hidden Link: External Relationships in Office XML
- A School Email That Passed Authentication Twice, Then Changed: Post-Signing Content Injection via Compromised .sch.uk Domain
- The Teams Invite That Came From the Wrong Domain: Display-Name Impersonation With All-Legitimate Links
- The .pro Domain That Built a Perfect M365 Tenant Just to Send One Google Docs Link
- Perfect Authentication, Zero Payload: The Yahoo Free-Mail BEC That Microsoft Flagged but Didn't Block
- The Government Email That Authenticated Itself After Transit
- The PayPal Invoice That Passed Every Check Because PayPal Actually Sent It
- A Generic Extortion Template, a Mailgun Relay, and a Domain Registered to Look Legitimate
- The Unsubscribe Button Was the Payload: How a Fake Health Email Weaponized Opt-Out Compliance
- A Fully Authenticated Bank Alert Hides Its Payload in a Phone Number
- The Security Tool That Delivered the $48,500 Invoice Fraud
- When Google Is the Phishing Infrastructure: Authenticated Credential Harvesting via Search Console
- Insurance Claim PDF Hides JavaScript Behind AcroForm Fields and SendGrid Redirects
- DocuSign Plus Invoice: A 12-Day-Old Domain and an esvalabs Redirect Chain That Scanners Missed
- 3 Messages on Hold: How an Authenticated Australian Domain Posed as a Security Center
- Three Domains, One CEO: How a Payroll Group BEC Used Mailjet to Bypass Every Filter
- RE: Christopher: How a Thread Hijack Rode Salesforce Marketing Cloud Into the Inbox
- DocuSign Phish Weaponizes Google Maps as a Redirect Proxy to Amazon S3
- When the Phishing Kit Ships Early: Exposed Template Variables Reveal Attack Infrastructure
- The Attachment Inside the Attachment: How Nested RFC822 Messages Evade Parser-Based Detection
- Hungarian Bank, Nepali Domain, Broken Encoding: How a K&H Bank Phishing Kit Exposed Itself
- Sign Here, Get Phished: Inside an Adobe Sign Lure With a Multi-Hop Redirect to Credential Theft
- One Missing Letter, One Stolen Payment: A Reply-To Typosquat That Beat the Spam Score
- The Zoho Invoice That Was Four Months Late (And Kept Its Receipts on Google Drive)
- The URL That Put adobe.com in the Wrong Place
- The PDF Scanner Couldn't Open the Attachment (But the Victim Could)
- Three Domains, One Invoice: The Payment Diversion That Authenticated Itself Through the Wrong Organization
- An Encrypted Attachment, an Empty Body, and a Scanner That Couldn't Look Inside
- The DocuSign That Lived on an S3 Bucket (and Couldn't Decide Who Sent It)
- Past Due Invoice, Future Wire Fraud: How a BEC Campaign Passed Every Authentication Check
- The Zelle Confirmation That Couldn't Spell Its Own Name: Template Artifacts, Placeholder Leaks, and a TOAD Callback
- The Childcare App That Passed Every Security Check (The Reply-To Header Didn't)
- The Subdomain That Fused Two Trusted Brands Into One Convincing Lie
- The Password Expiry Email That Hid Its Destination in a Base64 Fragment
- Purpose-Built Look-Alike Sending Domain Passes Full Authentication to Impersonate Training Brand
- The Timestamp That Gave It Away: Oracle Identity Cloud Phishing Targets K-12 with a Stale Timezone
- The GitLab Alert That Passed Every Filter (Except One Detail Nobody Checked)
- The DocuSign Lure That Used Google as a Trust Shield (And Encoded Your Email in the Link)
- When Your Security Vendor's OAuth Endpoint Is the Phishing Link
- The Mimecast Wrapper That Made a Phishing Link Look Safe
- The USPS Link That Looked Right Until It Wasn't
- DMARC Said Reject, the Gateway Said Deliver: Anthem Notification With Broken Authentication and a Casino Helpdesk
- The Button Text Was the Weapon: Unicode RTL Obfuscation Inside a DocuSign Lure
- The Email That Shipped With Its Template Tokens Still In It (And Still Worked)
- The Payload Was a Phone Number: How a Google Calendar Invite Weaponized Vishing
- When the Safety Wrapper Becomes the Disguise: Brazilian NF-e Phishing via Safe Links Rewrite
- SPF Passed. DMARC Passed. DKIM Didn't. What That Combination Actually Means.
- Microsoft Bookings as a Weapon: When DMARC Says Trust Me and ARC Quietly Disagrees
- The Rocket Mortgage Notification That Passed DKIM but Led to a Domain With No Mortgage Business
- Two Security Vendors Scanned This Link and Both Said Clean
- A Phishing Ticket Nobody Opened: How Autotask Became the Attack Vector
- The Email That Passed Every Security Check (Because Adobe Sent It)
- The DocuSign Portal That Was Two Days Old and Spelled Wrong: Typosquat Credential Harvesting via SendGrid Redirect
- The Tax PDF That Every Scanner Declared Clean (It Wasn't)
- No SPF. No DKIM. No DMARC. No Problem (For the Attacker).
- The Vendor Thread That Bit Back: How a Legitimate Tunneling Service Became a Phishing Vector
- Triple-Brand Credential Harvest: How Attackers Fuse Microsoft, Oracle, and NetSuite to Phish Financial Services
- Trusted Sender, Wrong Identity: How a Compromised Vendor Account Delivered a Microsoft Sway Credential Harvest
- The Funding Email That Passed Every Filter By Being Invisible
- The Meeting Invite That Knew Your Email Address
- The PDF Was a Decoy. The QR Code Was the Weapon.
- When 'Release from Quarantine' Is the Attack
- The Domain Registered This Morning: How a Compromised University Account Exploited Email Security's Zero-Day Blind Spot
- When the Sender Domain Is Also the Phishing Kit Host: Dual-Purpose Domain Compromise
- Password-Protected PDFs Are the New Sandbox Killer: How a Compromised .gov Account Delivered an Unopenable Payload
- The PDF That Let the Human In and Locked the Sandbox Out
- She Clicked the Bid Invitation and Handed Her Credentials to a Netlify Phishing Page
- The Contract You Didn't Request Has a QR Code You Shouldn't Scan
- Redirect Laundering: How Attackers Weaponize Trusted Infrastructure to Bypass Email Security
- Fake Google 'Open to Edit' Alert Hides a Kajabi Redirect and Targeted Credential Harvest
- The $15,247 Invoice That Came With Its Own W-9
- The LinkedIn Invoice That Passed Every Email Check
- Three Hops, Two Brands, One Fake WAV File: Inside a Multi-Layer Redirect Phishing Attack
- The Audit Request That Passed Every Authentication Check: How a Compromised Nonprofit Account Weaponized URL Shorteners
- Funding Agreement, Forged Approval: How a Three-Layer Redirect Chain Targeted Finance Leadership
- The Fireflies Meeting Recap That Never Happened: Dual-Brand Impersonation via Amazon SES
- The Email Came From Google. The Law Firm Did Not.
- The Health Supplement That Harvested Credit Cards: How a French-Language Phishing Campaign Weaponized ActiveCampaign
- The FedEx Email Was Real, the PDF Was an Image, and the Sandbox Saw Nothing
- The W-9 Was Real, the Company Was Fiction, and the Bank Account Was Waiting
- The Voicemail That Wasn't: How Calendar File Attacks Bypass Email Security
- Someone Filed a False Positive on This Azure TOAD Scam. Here's Why That's the Whole Point.
- When SPF, DKIM, and DMARC All Pass. And the Email Is Still Phishing
- The Azure Alert That Billed You $459: When Microsoft's Own Infrastructure Delivers the Phish
- No Links. No Attachments. No Malware. Just Five Sentences That Almost Started a Wire Fraud.
- The Insurance Claim That Passed Every Check (Progressive's Own Infrastructure Sent It)
- The Partner Invite That Used the Wrong Sending Domain
- The Law Firm That Was One Letter Off
- The Invoice That Spelled 'Approved' in Three Different Alphabets
- The Attachment Every Scanner Called Clean (Because It Crashed Them First)
- The Domain Was 14 Days Old. Zoho Authenticated It Anyway.
- The Phishing Link Lived on a Domain That Didn't Exist Nine Hours Earlier
- The Procurement Email That Passed SendGrid but Failed the Domain It Claimed
- The Graduation Sash Invoice That Every Security Check Approved
- The Restaurant Booking Platform That Validated Your Inbox Before the Attack Began
- The Lab Result Notification That Every Security Check Approved (Because the Platform Was Real)
- The Fax Notification That Was Just a Pregnancy Test for Your Curiosity
- The Health Spending Account Alert That Rode a Benefits Administrator's Own Infrastructure
- The Law Firm Name Looked Right Until You Checked the Unicode: Google Drive Debt Collection Phishing
- SPF, DKIM, and DMARC All Passed. The Sender Was a State Attorney General.
- The One-Letter Typosquat That Passed Every Authentication Check
- The Power Automate Failure Alert That Wore Your Own Security Vendor as a Disguise
- The Invoice Was in Hebrew, the HTML Attachment Called Localhost, and Every Authentication Check Passed
- The QR Code That Knew Your Email Address Before You Scanned It
- The Calendar Invite Came From Australia. The Organizer Was Your Coworker.
- The Phishing Link Encrypted Itself: OpenSSL Salted Base64 in the URL
- SafeLinks Wrapped the Phishing URL With the Recipient's Name on It
- The Law Firm Name That Used Invisible Characters to Pass Authentication
- The Email That Was Just a Username and Password. Nothing Else.
- The Phishing Simulation Platform That Powered a Real Attack
- The Procore Footer Was Real. The Document Was Not.
- Compromised Manufacturer Domain Delivers Toyota Financial Invoice Lures with Perfect Authentication
- The Phishing Infrastructure Was Canva. The Delivery Mechanism Was Canva. The Authentication Was Canva.
- SharePoint Trust Laundering: How Attackers Route Credential Phishing Through Legitimate Microsoft Infrastructure
- C0STC0 Is Not Costco: How Leet-Speak Brand Spoofing Slips Past Your Filters
- A Webflow Subdomain, a Fake OneDrive Page, and a Dental Clinic's Hijacked Email
- Hyundai Card HTML Attachment Harvests Credentials Without a Single Malicious URL
- The Auth0 Developer Tenant That Passed Every Security Check (Because It Was Real)
- The CEO's Name Was Real. The Mailjet Account Behind It Wasn't.
- Every Authentication Check Passed. There Was Nothing to Scan. The Attack Was the Reply.
- The Redirect Chain Ran Through Stripe. Every Scanner Said Clean.
- The Invoice Was Built by a Robot (and Signed by the CEO)
- When the SharePoint Notification Is Real But the Share Is the Attack
- The Encrypted PDF From a Reuters Lookalike Domain, Sent Through Amazon SES
- The PDF Passed Every Scanner. Then It Opened a Browser Tab.
- The Salary Review That Passed Authentication Twice and Failed Both Times
- Encrypted PDF Invoice Drops Through SPF, DKIM, and DMARC on a 6-Day-Old Domain
- A Pharmacy Account, a Fake Remittance, and a Hidden Redirector: Inside a SharePoint File-Share Phishing Attack
- A Wallcovering Proposal That Didn't Cover Its Tracks: SaaS Invoice Phishing via SendGrid
- A Fake Microsoft Quarantine Notice Rode a Hijacked Business Thread Through Amazon SES
- A Fake Payee Notification from 'USAA' Tried to Steal Banking Credentials
- A Fake Bitdefender Charge Showed Up on the Calendar, Not the Inbox
- Three Security Vendors, One Credential Harvest: How Attackers Turned Protection Into Cover
- The Fake Invoice That Wasn't Even the Right File Type
- When the Password Reset Comes From a Fortune 500 Logistics Giant
- The Password Was Right There: How Encrypted PDFs Bypass Every Scanner in Your Stack
- Microsoft's Own Domain, Your Attacker's Form: How forms.cloud.microsoft Became a Credential Harvest Host
- Seven Days Old, Port 8443: The Throwaway Domain That Safe Links Couldn't Stop
- Legit Ticket, Lethal Link: A Real Telecharge Newsletter Hid a PII Harvester on Cloudflare Pages
- Hard Reject, Delivered Anyway: The Three-Relay Chain That Bypassed a Bank's DMARC p=reject
- Unicode in the Brand Name, Chaos in the Invoice: A Geek Squad TOAD Attack That Made Victims Call Twice
- The Encrypted PDF That Handed You the Key and Passed Every Authentication Check
- A Salesforce CRM Subdomain Delivered the Phishing Lure. Every Authentication Check Said It Was Legitimate.
- Every Authentication Check Passed. Every Link Was Clean. Themis Still Flagged It.
- A Fully Authenticated Political Donation Scam That Every Gateway Trusted
- The Buyer's Guide That Was Really a Mailing List Validation Tool
- The Wire Transfer That Arrived as a 6MB Photograph
- Six Words, No Payload: How a Fabricated Gmail Thread Turned a Law Firm Into a Reconnaissance Relay
- The Invoice Attachment That Rendered Itself Locally and Left URL Scanners With Nothing to Scan
- Every Link Is Amazon: How Legitimate Infrastructure Becomes the Phishing Payload
- Empty Email, Nested Impersonation, Embedded QR: Three Evasion Layers in a Single Delivery
- A Pixel-Perfect Sephora Delivery Notice Shows Why Email Authentication Alone Can't Protect You
- Spanish-Language Judicial Impersonation Exploits CDR Relay Trust to Deliver Advance-Fee Fraud
- Every Authentication Check Passed. The Display Name Was the Weapon.
- DocSend Notification Passes Every Authentication Check While Routing Replies to an Unverifiable Law Firm
- The Authenticated Sender With a Malicious Spreadsheet and 20 Years of Domain History
- The Debt Collection Notice That Passed Every Authentication Check
- A Municipal Payment Request With Perfect Authentication, Real Permit Details, and Zero Red Flags for Scanners
- Closing Settlement for Ironscales: A Trello Template Weaponized with Stolen Brand Identity
- An Attacker Phished Us Through Two Competing Security Vendors. Here's What Happened.
- A .docx With a Secret: How Attackers Hid an Executable Inside an Image to Bypass Every Scanner
- A Woodworking Class Receipt That Nobody Signed Up For: Bounce Tokens as Mailbox Recon
- SPF and DMARC Passed, DKIM Failed: How a One-Word Email Body and a Clean PDF Almost Delivered a BEC Payday
- Same-Day Domain, Port 8443, and a Fabricated Forward: How a Compromised M365 Tenant Delivered a Phishing Link Through Clean Authentication
- SPF PermError Turned a Malformed Domain into an Invoice Fraud Launchpad
- The Italian Certified Email That Wrapped Its Payload in S/MIME
2025
- The Wire Transfer Confirmation That Had No Body, No Links, and Full Authentication
- The Credential Page Was Real. The Domain Was One Extension Off.
- The DocuSign Template That Forgot to Replace 'Putyourlinkhere'
- The DKIM Key That Was Too Small to Verify: When Cryptographic Weakness Becomes a Detection Gap
- The Password Reset That Shipped Its Own API Key in a Shortened URL
- The ACH Payment Alert Delivered as a Calendar Invite From a Spoofed Address
- The Web Design Pitch That Routed Through a Mailing List Nobody Subscribed To
- The Encrypted Message That Opened in a Design Preview Tool
- The Marketing Email That Forgot to Fill In Its Own Template
- The Photograph Link That Vanished Before Anyone Could Scan It
- DMARC BestGuessPass: How a Malicious Domain Passed Every Auth Check and Still Delivered
- Salesforce Pardot Infrastructure Weaponized in Fabricated-Thread CRM Consulting Phish
- A CPAP Settlement Email Passed Every Authentication Check. That Was the Problem.
- A 16-Day-Old Domain, Zero Links, and One Phone Number: Anatomy of a Pure TOAD Attack
- A Google Redirect, a Monday.com Tracker, and a Fake NDA: Credential Harvesting Through Trusted Infrastructure
- The Vendor Compliance Email Where Every Link Was Real and Every Authentication Check Passed
- How ARC Re-Signing and an IP Allow-List Turned Three Authentication Failures Into SCL -1
- The Certificate Validation Path That Became a Credential Harvester
- Every Link Was Real: DocuSign Reply-To Diversion With a Same-Day Domain
- The Workplace Email That Passed Every Authentication Check and Hid Its Payload in a Shortened QR Link
- The B2B Content Marketing Email That Borrowed a Brand, a Relay Allow-List, and a Security Vendor's Own URL Wrapper
- Three Brands, Zero Connection: A Saudi Football Club, a Healthcare Vendor, and a Business Advisory Firm Walk Into Your Inbox
- The Extortion Email That Hid Its Links Inside IPv6 Bracket Notation
- No Links. No Attachments. Just a Polite Request for Every Employee's W-2.
- The .Gov Email That Passed Every Check and Stored Its Payload on Azure Government Cloud
- Single Malicious SafeLinks-Wrapped URL Hidden Among Legitimate SharePoint Trust Anchors
- Portuguese Invoice Fraud with Same-Day Due Date and Reply-To Mismatch
- Authenticated Dutch Email from WBG Pooling Carries Undecodable Barcode in Signature Image
- Nested RFC822 Attachment with No DKIM or DMARC Signals Thread Hijack via Internal Routing
- Taulia Supplier Portal Impersonation with Footer Address Mismatch via Amazon SES
- Compromised .gov SharePoint Tenant Delivers Credential Harvest via Tokenized Links
- E-Sign Credential Harvest Chains Three Brands: Epic River, Home State Bank, and ProSign
- Crystal Reports Invoice Fraud with NULL Address Fields Routed Through Exclaimer Relay
- Wire Transfer PDF Invoice Passes DLP Gateway with Full Email Authentication
- The CDR Sanitization That Broke the Only Signal That Mattered
- A Security Vendor's URL Defense Became the Attacker's Best Disguise
- Fake AI Conference, Real Authentication: How Attackers Weaponized Lu.ma to Bypass Every Email Check
- Every Automated Check Passed. A Human Analyst Caught It Anyway.
- The $250 Donation Receipt That Nobody Authorized
- This Phishing Email Passed SPF, DKIM, and DMARC. The Encrypted PDF Was the Real Weapon.
- The Trade Confirmation That Passed Every Authentication Check
- The Calendar Invite Hiding 51 Images and a Reply-Harvesting Trap
- The Confidential Mode Message That Had Zero Indicators of Compromise
- This Phishing Email Passed SPF, DKIM, and DMARC. It Was Still Malicious.
- Hidden in Plain Sight: Executables Buried Inside a JPEG and a 1KB ZIP
- Every Authentication Check Failed. An Allow-List Let It Through Anyway.
- The Payroll Change Request That Passed Every Authentication Check
- The Email That Came From You, to You, Through a Gateway You Trust
- A Phishing Lure Hiding Inside a Real Microsoft Verification Email
- Authenticated Sender, Forged Instructions: How a Remittance Update Passed Every Check
- The U.S. Bank Email That Came From a Lawyer Directory and Passed Every Authentication Check
- Three Domains, One Scam: The RFQ That Routed Replies to a Freshly Built Lookalike
- The Attachment Declared Itself Plain Text. It Was HTML. Every Scanner Said Clean.
- The Utility Invoice That Passed Every Authentication Check and Hid Executables Inside the PDF
- The XLSX Had No Macros. The Redirect Was Hiding in the Archive.
- The SafeLinks Wrapper Decoded to Port 8443 and a Domain That Didn't Exist Yet
- Self-Addressed and BCC'd: A Compromised Hospital Account Delivered Encrypted PDFs at Scale
- DKIM Pass, SPF Pass, DMARC Pass: The Phish That Aced Every Authentication Check
- Attackers Weaponize a Security Vendor's Own Brand in an Employee Handbook Phishing Lure
- Facebook Share Notification Abuses Legitimate Infrastructure to Target Corporate Inboxes
- 136 Bytes Was All It Took: An SVG Attachment That Bypassed Every Scanner
- The Proposal Button Nobody Could Inspect
- The Invoice Attachment Was Empty. The Attack Was Not.
- The Newsletter That Passed Authentication Twice and Failed Once
- The SendGrid Email That Came From a Window Company
- The Benefits Handbook That Came With a Marketing Footer: Homoglyph Domain Meets ESP Abuse
- The JPEG That Kept Going After the Image Ended
- The Verizon Rewards Email with a Kitchen Drawer Stuck in the Middle
- Two Google Redirects, One Credential Harvest: How Nested google.gr Laundering Beat Link Scanners
- A Fillable PDF With Real Bank Details and Nothing for Scanners to Flag
- The Hotel Reservation Was Real. One Link Was Not.
- The HR Email Where the Signature and the Reply Button Led to Different Companies
- Stripe Sent This Email. The Authentication Was Perfect. The Payment Button Was Not.
- The OAuth Authorize URL That Didn't Ask for Permission
- Cloudflare Blocked the Page, But the Email Still Landed: A .vu TLD Phishing Domain That Slipped Through
- The Anonymous Complaint That Was Actually a Data Extraction Operation
- The Email That Passed Every Check Because the Sender Was Real
- The Vendor Address Hiding in Plain Sight: How a Free Email Service Carried a B2B Impersonation Into a Real Thread
- The Image File That Hid Three Windows Executable Signatures and Passed CDR Sanitization
- The Email Was Real. The Workspace Was the Weapon. An Asana Invite Claimed to Be From Meta.
- The Phishing Relay Running on Government Cloud Infrastructure
- The 454 KB HTML Attachment That Pretended to Be an Outlook Inbox
- The Curiosity Lure Sent From a Compromised Moroccan Training Account
- The Fake PayPal Charge That Needed You to Read Your Own Login Code Out Loud
- Three Brand Names, One Payment Email, and a PDF That Lied About What It Was
- The SharePoint File Share That Came From Microsoft's Own Infrastructure
- A Fake Geek Squad Invoice Built by wkhtmltopdf With a mailto as the Only Way Out
- Lookalike Domain With Full Authentication Sends a Zero-Payload Trust-Building Email
- Four PE Executables Hidden Inside an OLE Container Disguised as a CAD Drawing, Sent From Inside the Organization
- The Mortgage Login Page That Rode Through Two Security Vendors
- The Google Calendar Invite That Charged $316.66 to a Brand That Didn't Send It
- The Direct Deposit Form That Arrived From a Hotmail Account
- The Payroll Notice That HelloSign Delivered on Behalf of a 9-Day-Old Domain
- The Nested .eml That Tried to Silently Authorize a Microsoft App
- The HubSpot Account Suspension That Came From Flodesk
- Bid Invitation Email Showed a SharePoint URL but Linked to an Attacker Domain
- The Hotel Reservation That Hid a Cloaked Link Behind a Real Booking
- The Invoice PDF Whose Filename Broke the Sandbox
- The DocuSign Template That Shipped With Its Variables Still Showing
- The Trademark Cancellation Notice That Passed Every Authentication Check Because WIPO Actually Sent It
- The IRONSCALES Agreement Email That Came From Brazil and Left Canva's Fingerprints Everywhere
- Every Link Said U.S. Bank. Every Link Went Through Brevo.
- The Payoff Letter With a Blank Body, a Trust Account, and a Token That Said 'bypasszix'
- The Aeroplan Bonus That Came From a Consumer ISP in Melbourne and Landed on a Staging Platform
- The Remit-Change Email That Came With Full Bank Details and a PDF Nobody Could Read
- The QR Code Was Flagged Malicious. The Invoice Was Just an Image. The Relay Broke SPF.
- The Tooltip Said Coupa. The Link Said Genesis Cleaning. Only One of Them Was Real.
- Three Domains, Two Brands, One Frankenphish: The DocuSign Lure That Led to Mailchimp
- The Employee Handbook That Built Its Own Links at Runtime
- 136 Bytes Was All It Took: The SVG That Redirected to a Credential Harvest
- The Shipping Notice That Hid a Windows Executable Inside a PNG
- A Geek Squad Calendar Invite With No Links, No Malware, and a Phone Number
- When DMARC p=reject Delivers the Phish: A Fully Authenticated Remittance from Hershey's
- When Your Security Vendor's Name Is the Subdomain: Brand Impersonation via Amazon SES
- The Shared File Card That Was Actually a PNG: Image-Based Microsoft 365 Credential Harvesting
- Voicemail Lure Hides Behind Microsoft Dynamics CRM and Three Mismatched Domains
- Zero-Payload Gmail Message Targets VIP Mailboxes via BCC
- Oracle Email Delivery Sends the Phish: Authenticated Invoice Lure via NetSuite Infrastructure
- McLarens Invoice Fraud: Fillable PDFs with Real Wire Instructions Pass Every Authentication Check
- Barracuda Gateway Broke DKIM: Law Firm Email Carries Malicious Link After Authentication Collapses in Transit
- Vendor Scam Uses Salesforce Marketing Cloud to Target Executive Mailboxes
- SharePoint Phishing Campaign Exposes Its Own Template Placeholders
- AWS Invoice Phishing Attaches a Zero-Byte PDF to Force Click-Through
- W-2 Tax Form Lure Pairs a Populated PDF with a Payroll Portal Link
- Zero-Link 'Reply YES' Scam Uses Hotmail to Bypass Every Payload Scanner
- Remittance Phish Routes Through Nigerian Hosting to Edgeone Credential Harvest
- Attorney General Threat Lure Targets Financial Services via Gmail Loan Complaint
- SharePoint Tenant Notification Abuse Passes Full Authentication Chain
- Purchase Order PDF With Embedded Image Bypasses Static Analysis From Authenticated Sender
- Malicious PDF Proposal Hides Behind Authenticated Vendor Infrastructure and Four Words
- A 2019 Credential Request, Two Dev Subdomains, and ARC That Couldn't Save the Auth Chain
- Four Sentences and a Payroll Request: Executive Impersonation BEC With No Payload
- The Security Gateway That Wasn't: Malicious Redirects Hidden Behind emailprotection.link
- Property Tax Notice, Wrong Sender: How a Throwaway Domain Impersonated a County Government
- A Payroll PDF That Passed SPF and Carried Malware
- Asana Platform Abuse: Authenticated Amazon SES Delivery for a Fake Meta Workspace Invite
- Google Calendar Invite as a TOAD Vehicle: Fake Billing Claim Drives Victims to a Phone Number
- Past-Due Invoice Email With an Unscannable XLSX That Cisco AMP Could Not Verdict
- Sophos URL Rewrite Hiding an is.gd Shortener Chained to an Azure Front Door Endpoint
- The Teams Meeting Notification That Led to an AWS Lambda Credential Harvester
- You Sent This Email to Yourself. Except You Didn't.
- The Invoice Was an Image. The Body Was Two Words. The Authentication Was Perfect.
- One Malicious Link Hidden Among Thirty Clean Ones in a Fully Authenticated Newsletter
- One Missing Letter in the Sending Domain, One High-Value CFO in the Crosshairs
- SPF Passed, DKIM Passed, DMARC Passed. The Replies Were Going Somewhere Else.
- AT&T Brand, Third-Party Infrastructure, and a $25 Visa Card That Goes Nowhere Good
- Imprisonment Threats, FinCEN Impersonation, and an Elastic Email Redirect to Somewhere Else
- Full Authentication, a Three-Week-Old Domain, and a Link Flagged Malicious
- The 'SendGrid' Email That Wasn't Sent by SendGrid
- The SharePoint Notification That Came From a Tenant Nobody Owns
- The Voicemail You Never Left: SVG Phishing Through a DMARC Failure
- Hiding Inside the Security Stack: How a Redirect Chain Used Trusted URL-Rewriters to Deliver a Throwaway Domain
- The PayPal Email That Wanted a Phone Call, Not a Click
- Google Sent This Email. The Law Firm Spelled with Cyrillic Letters Did Not.
- The Trusted Sender Problem: A Compromised Claims Adjuster Account, a Real Property Thread, and One Malicious QR Code
- The W-9 Request That Proved Itself: How a Click-Tracker PDF Targeted One Accounts-Payable Recipient
- The PDF That Fired Before You Read It: AICPA Impersonation and an S3-Hosted Adobe Typosquat
- They Sent a Voicemail to an IRONSCALES Inbox, Through Microsoft
- The Password Reset That Passed Every Security Check
- The SharePoint Guest Link That Passed Every Authentication Check
- "HubSpot Team" from Someone Else's Domain: SES Authentication as a Phishing Shield
- Closing Table Takeover: How an Unverified Mortgage Contact Inserted Wire Fraud Into a Real Transaction
- No Text, No Links, No Forms: How an Image-Only ACH PDF Bypassed DLP for Payment Diversion
- The Calendar Invite That Was a Bill: Malwarebytes Impersonation via Same-Day Domain and Google Calendar
- HelloSign's Reputation, Attacker's Domain: How a 9-Day-Old HR Portal Hijacked a Trusted E-Signature Platform
- DocuSign Lure, Compromised WordPress Endpoint: When the CTA Goes Nowhere DocuSign Would Ever Send You
- Cloud Services Disabled: A zpr.io Shortener Hides the Landing Page in a CEO Whaling Campaign
- Accounts Payable Display-Name Spoof Delivers a Teams-Branded Payment Lure to a CFO via SendGrid
- DocuSign Lure Chains Through EdgePilot and SendGrid to a Fabricated Microsoft OAuth Authorize Endpoint
- Procom Background Check Lure Delivers Zero-Width Obfuscation and a Malicious CTA via Amazon SES
- His Name in the From Field, Someone Else's Bank Account: Political Donation Impersonation via bluevision24.com
- Three Domains, One Fake Invoice: The Pact Group Payment Confirmation Lure
- DocuSign Lure, Diverted Replies: How Reply-Path Manipulation Turns a Legitimate Envelope Into a BEC Trap
- The PDF Creator Field Knew What the Subject Line Didn't: wkhtmltopdf and the Geek Squad Shipping Mismatch
- The Silent Read: VERP Bounce Sender and a Personal Gmail Read-Receipt Channel in a DMV Impersonation
- PBS in the Display Name, Free Webmail in the Headers: How Celebrity Health Lures Bypass DMARC Reject
- The Invoice You Cannot Read: Image-Only Financial Pressure and the DLP Gap BEC Exploits
- The Document That Could Not Be Read: PandaDoc Token Delivery and the From=To Account-Takeover Signal
- Clio Platform Abuse: HMAC-Tokened Invoice Links and a Fabricated Internal Thread
- Release on Payment: Salvage Fraud Wrapped in a Click-Time URL Rewriter
- Authenticated Education Sender, Malicious Study-Abroad Link, and a Student File as Bait
- Colleague-Confirmed Fraud: When the Invoice Already Has an Internal Warning Attached
- Construction Plan Room Impersonation: Amazon SES Authentication Passes While the CTA Routes to nasr.org.uk
- eCheck Retrieval Fraud: url.emailprotection.link Rewrapping and DMARC Fail Under a p=reject Policy
- Claims Adjuster Impersonation: How accelaclaims.com Hid Behind Cloudflare While an Egress Gateway Explained the SPF Softfail
- QR Code Hidden in Plain Sight: How a qrco.de Shortcode Inside an Image-Only Invoice PDF Defeated Text Scanners
- SendGrid as the Delivery Rail, sendgrid-verify[.]com as the Trap
- Gateway-Rewritten Links Flagged Malicious Inside a Law Firm Email With No DKIM
- Trello Branding, Telegra.ph Relay, and a 15-Day-Old .sbs Domain Credential Page
- Lure Text You Recognize, Destination You Can't See: How a Yahoo Sender Weaponized a Corporate Brand
- Fake Intuit Payroll PIN-Change Notice Sent From a Free AOL Mailbox
- A Malicious Payroll PDF Rode In on a Compromised Legitimate Sender
- A PDF Invoice Contained Bank Details for a Money-Mule Account
- QR Code Inside an Email Claimed Your Microsoft Authenticator Was Expiring
- AAA Brand Impersonation Uses Unauthorized OnMicrosoft Tenant and SafeLinks-Wrapped Blocklisted Harvest Domain
- Voicemail Phish Abuses Microsoft Dynamics 365 Marketing Host to Deliver CEO-Targeted CTA
- Sandbox-Confirmed Malicious PDF Delivered via Compromised Logistics Domain With Passing Authentication
- HPI Brand Impersonation Uses Authenticated-but-Unrelated Amazon SES Sender and Three-Hop Redirect Chain
- Bitcoin Sextortion via Spoofed Legitimate Domain: SPF Softfail Lets Extortion Template Through
- Fake IT Verification Notice Spoofs Internal M365 Routing to Deliver Cloudflare-Proxied Credential Harvest
- Shell International Impersonated in BEC Invoice Fraud: DMARC Failure Exposes the Lookalike Payment Chain
- One Malicious QR Code Hidden in a Legitimate Booking Confirmation
- When the Scanner Says Clean: Compromised M365 Account Delivers SharePoint Credential Lure
- Free Hotmail, Fake Adobe: How a Relocation Lure Hid a Throwaway Credential-Harvest Domain
- BEC Wire Diversion via Compromised Authenticated Vendor: PDF Bank Instructions From a Domain That Passed DKIM and DMARC
- Fake Bounce Notice With Obfuscated 'Keep My Password' Link Routes Victims to a Webmail Credential-Harvesting Page
- MSC Brand Impersonation Abuses a Legitimate Open Redirector and Base64-Encodes the Victim's Address for Targeted Tracking
- BEC Payroll Diversion via Display-Name Impersonation: No Links, No Attachments, High Confidence
- Amazon SES Abuse Delivers Fake DocuPortal+ Notification to a Credential-Harvest Page With a Fake reCAPTCHA
- New Voicemail From QuickBooks: How a Barracuda Gateway Allow-List Delivered an Intuit Spoof With Complete Auth Failure
- W-9 Exfiltration via a LinkedIn Lookalike Domain: When Your CDR Relay Breaks DMARC
- Cloning the Defender: How Attackers Weaponized IRONSCALES Branding Against a Security Company's Own Inbox
- The Legitimate Tenant Trick: How Attackers Abuse Microsoft 365 Infrastructure to Deliver Credential Theft
- The Email That Asked for Your Cell Number Was Sent from a Domain Registered Yesterday
- The 419 That Wants Your Driver's License: Advance-Fee Fraud With a PII Harvest Twist
- Trusted Vendor, Attacker's Form: How a Compromised Lab Account Delivered a Zoho Credential Harvest
- CEO Impersonation via Gmail: The Channel-Switch BEC That Moves the Conversation Off Email
- Image-Only Invoice Fraud: How Attackers Hide Mule Bank Accounts from Every Text Scanner
- When a Trusted University Account Delivers a Same-Day-Registered Phishing Link
- Barrick Gold Impersonation via Fabricated Lookalike Domains: Procurement Fraud Reaches a Banking Target
- No Links, No Malware, Just a Phone Number: Geek Squad TOAD Invoice Targets an Engineering Manager
- Free Subdomain Infrastructure Powers Fidelity Life Brand Impersonation: eu.org as a Phishing Host
- Finance Director's Name, Stranger's Domain: VIP Display-Name BEC Targets Accounts Receivable Data
- When Your Security Vendor's Email Delivers the Attack: ThreatDown Notification Hijacked Mid-Transit
- Compromised Vendor M365 Account Issues Fraudulent Banking-Change Instructions Across Four Mailboxes
- Fabricated Treasury Office, Real Crypto Wallets: Inside a Multi-Fee Bitcoin and Ethereum Advance-Fee Scam
- Wufoo E-Sign Lure Routes Targets to .com.es Credential-Harvest Page Through Full SPF/DKIM Pass
- Free Gmail Sender, Nigerian IP, Freshly Registered Reply-To: Inside a Bapco Energies Vendor BEC
- Compromised University M365 Account Delivers Thread-Hijacked Email With Malicious QR Shortlink and Suspicious Image Payloads
- Free Gmail, Corporate Envelope: How a Forwarded Message Delivers a Scanner-Confirmed Malicious Shortlink
- Disney+ Billing Lure Rides Legitimate Tax-Service Infrastructure to a phpList Subscribe Page
- Cloud Laundering: How Mimecast Redirects Chain to Azure Blob and DigitalOcean Credential Pages
- Price Revision as the Hook: How a Mirror Site Without TLS Impersonates an Industrial Supplier
- When Google Sites Becomes the Phishing Page: Credential Harvest Behind a Proofpoint Disguise
- No Link, No Attachment: A NortonLifeLock Callback Campaign That Relied on a Phone Number Alone
- PE Executable Concealed in a JPEG, Nested Inside an RFC822 Email: The COSCO Bill-of-Lading Lure
- Luxury Brand Bait: How Mandrill, Safe Links, and a Fake Display URL Combined to Hide a Credential Harvest
- AOL Account, Government SharePoint, Fake Microsoft Login: A Credential Harvest in Three Steps
- The Invoice That Never Existed: Geek Squad TOAD via a Blank-Extension JPEG
- The DocuSign Button That Pointed at Adobe, and Redirected to an S3 Credential Page
- The Comcast Suspension Notice That Passed DMARC and Left Nothing to Scan
- Three Real Companies, None of Them Matching: A Contract Lure That Scanned Clean
- The Email Inside the Email: How a Nested .eml and Microsoft Short Links Blind Inline Scanners
- The Blocked-Messages Alert That Routed Through Google and Knew Your Email Address Before You Clicked
- The Resume Notification That Passed Every Auth Check and Still Delivered Malicious Links
- Empty Body, Contract Attachment: How a Clean .docx and a South American IPv6 Host Bypassed Content Filters
- When the Sender Is Real and Every Check Passes: A Crypto Token Funnel Hidden Behind Authenticated Publisher Mail
- When Amazon SES Carries the Malware: HR Impersonation and a Confirmed-Malicious PDF
- The Domain That Didn't Exist Yet: How a WHOIS Timestamp Unraveled a Fabricated BEC Thread
- When Your Security Vendor Sends You a Fake Invoice: Proofpoint Impersonation, Amazon SES, and a wkhtmltopdf PDF with Live Wire Instructions
- Dairy Brand, IRS PDF, Stolen Credentials: How ESP Abuse Launders Phishing Trust
- No Payload, No Links, No Attachments. Just a Fake Reply Thread, a Hidden BCC, and a Read Receipt Doing Recon.
- Sage Brand Impersonation: How a Broken DKIM Signature and a French Payroll Lure Slipped Past the Gateway
- The "Access Code" That Passed Every Authentication Check
- Authenticated From a Real Law Firm's Mailbox: A Fabricated Litigation Thread and a PIN-Gated OneDrive Credential Harvest
- The Attachment Said .htm, the MIME Said .docx, and Microsoft's Name Did the Rest: An M365 Domain-Expiry Credential Harvest
- Final Reminder, Fake Invoice: How a Same-Day Reply-To Domain Silently Rerouted Payments Through a Compromised Sender
- No Link, No Compromised Account, No Problem: How a Personal Outlook Address Delivered a Boleto Fraud
- Signed, Delivered, Stolen: An Adobe Acrobat Sign Lure Routes Through Five Redirect Wrappers to a Newly-Registered Harvest Domain
- Your Own IT Department, Forged: BOM Encoding and a Medium Open-Redirect Hide a Vercel Credential-Harvest Portal
- Purchase Order, Please Confirm: How Brevo's Clean Authentication Laundered a SharePoint Lookalike Credential Harvest
- Dressed as Microsoft Forms, Pointing Somewhere Else: How a Single Wrapped CTA Hid Behind a Page Full of Legitimate Links
- Microsoft Delivered It. The Payload Was a Fake PayPal Phone Number.
- The LOGIN Button Went to Microsoft. That Was the Attack.
- Your Own Name, Someone Else's Server: A Compromised Sender Turns a File-Share Into an Invoice Trap
- Inside the Wrapper: How a Pre-Wrapped SafeLinks URL Became the Attack's First Layer of Cover
- No Links, No Attachments, No Malware: A CEO Payroll-Redirect BEC That Gave Scanners Nothing to Find
- One Word, One File: A Fax-Lure HTML Attachment That Routed Credential Theft Through a Legitimate Form Provider
- Every Link Was Legitimate: A Reply-To Lookalike That Hid in a Clean Procurement Email
- Clean Scan, Full Auth, One Phone Number: A Compromised School Account Carrying a TOAD Payload
- Aged Domain, Cloud Rail, Fake Portal: How a Compromised 1998 Domain Delivered an EFT Credential Harvest via Amazon SES
- One Day Old, Fully Authenticated: How a Fresh Attacker Domain Passed Every Check and Delivered a Fraudulent Boleto
- Real Brand Trackers as Cover: A Boot Barn and DocuSign Impersonation That Routed One Malicious Link Through a Field of Legitimate Ones
- Three Identities, One QR Code: How a Print-Shop Domain Laundered a Rail-Executive Signature Into an HR Handbook Lure
- A Friend's Sick Daughter and a Gift Card: The BEC Attack That Left No Evidence for Scanners
- The ESP Passed SPF, DKIM, and DMARC. The Shortener Hid Where the Link Actually Went.
- The Netflix Billing Alert That Every Scanner Blessed (One Header Told the Truth)
- When the Email Passes Every Auth Check but Still Isn't Real
- When the Link Has Nothing to Do with the Brand: Nexi Impersonation via Throwaway Domain
- Credential Phish by Day, Remote-Access Trojan by Night
- The Voicemail Attachment That Was Secretly a Script
- Five Security Vendors Rewrote This Link. None of Them Stopped It.
- Attackers Now Build Phishing Pages With AI App Builders
- When Your Vendor's Email Account Sends You Malware
- Injected in One Country, Laundered Through Microsoft, Landing in Another
- AV Said This PDF Was Clean. It Was Wired to Fire a Google Script the Second You Opened It.
- This Phish Wanted Your LINE QR Code, Not Your Password
- The Phishing Link That Passed Two Security Scanners
- They Hijacked a Real Thread to Hide a Google Redirect
- The $0.01 Email That Was an Account-Fraud Dry Run
- The FedEx Invoice Your Scanner Couldn't Read on Purpose
- The .gov Mailbox That Spoke the Wrong Language
- Access Denied (To Scanners Only): A Presigned S3 Link
- The Invoice Hidden in Your Calendar: .ics Payment Fraud
- How Phishing Beats URL Scanners via Google Translate