Attack Library
TV 2 Play Payment Scam Uses Calendly Open Redirect and SendGrid Click-Tracking Chain
A phishing attack impersonates TV2Play streaming service payment failures while using Calendly open redirect functionality and SendGrid click-tracking to mask the final malicious destination.
Microsoft Teams Meeting Invitation Delivers ScreenConnect Malware via Cloudflare Workers
A phishing attack impersonates Microsoft Teams meeting invitations to deliver ScreenConnect remote access tool malware through fake app update prompts hosted on Cloudflare Workers platform.
Flask-Based Docusign Phishing Kit Exploits Vercel Cloud Platform with Dynamic Branding
A sophisticated phishing attack deploys a Flask-based credential harvesting application on Vercel's trusted cloud platform while dynamically impersonating Docusign notifications with target-specific branding.
Salesforce Sites Redirect Chain Phishing Uses SendGrid Wrapper and Bot Verification Protection
A phishing attack impersonates business platform access notifications using SendGrid link wrapper and Salesforce Sites redirect chain with Cloudflare Turnstile protection to bypass detection systems.
Multi-Stage Cloudflare Workers Phishing Uses Compromised Account and Legitimate Platforms
A phishing attack uses a compromised third-party account to deliver financial-themed emails linking to legitimate platforms that redirect through Cloudflare Workers infrastructure to hide phishing sites.
University Credential Phishing Attack Leverages Compromised Domain and No-Code Platform
A phishing attack uses a compromised account to send university emails linking to credential harvesting forms hosted on the legitimate no-code platform Jodoo.com.
Google DKIM Replay Attack Uses Legitimate Infrastructure for Legal Subpoena Phishing
A phishing attack abuses DKIM replay techniques to bypass security filters while impersonating Google Legal Investigations Support using legitimate Google Sites hosting and spoofed authentication.
QR Code in Fake Benefits Handbook Links to Phishing Site
A phishing email impersonates HR and shares a fake employee benefits handbook. The attached file contains a QR code that links to a credential harvesting site.
Phishing Email Uses Dropbox Bait and AWS App Runner to Host Webmail Login Scam
An attacker impersonates a project manager to deliver a Dropbox file link that leads to a fake webmail login page hosted on AWS App Runner.
Fake Box Document Preview Redirects to Microsoft Login Phish
A phishing email disguised as an RFP links to a spoofed Box document preview, ultimately redirecting users to a fake Microsoft login page for credential theft.
Fake GitHub Alerts Trick Developers Into Granting OAuth Access
Attackers exploit GitHub Issues to send fake security alerts and abuse OAuth apps to hijack developer accounts without stealing passwords.
Gamma-Hosted File-Sharing Phishing Attack Uses Cloudflare Turnstile to Evade Detection
A malicious email links to a Gamma-hosted presentation that redirects to a Cloudflare Turnstile-protected phishing page impersonating Microsoft to steal credentials.
Threat Actors Leverage PandaDoc and Dropbox to Deliver Decoy File and Phish for Microsoft Credentials
Attackers use PandaDoc and Dropbox links to disguise credential phishing behind a decoy document and bypass secure email gateways.
Phishers Spoof Netflix and Send Fake Account Closure Notice to Steal Sensitive Information
Attackers impersonate Netflix and manufacture a sense of urgency to trick employees into clicking a malicious link.
Attackers Leverage Fake Zoom Invites to Deliver Remote Access Tool During Tax Season
A phishing email disguised as a Zoom invite tricks targets into downloading ScreenConnect, giving attackers remote access to the target's computer.
Job Application Lures Use Dropbox-Hosted Resume to Deliver Remote Access Trojan
A fake CV hosted on Dropbox delivers a multi-stage VBS loader, ultimately dropping Remcos RAT after geofencing and sandbox checks.
Fake Amazon Web Services Billing Notification Used in Credential Theft Attempt
Attackers impersonate Amazon Web Services and deceive targets into visiting a phishing site under the guise of viewing a billing statement.
QR Code Phishing Attack Uses Embedded MHT Files in Payroll-Themed Documents
A salary-themed phishing email delivers a DOCX file with an embedded MHT and hidden QR code that leads to a phishing site.
Cybercriminals Send Fake PayPal Security Alert from Spoofed Address to Steal Account Details
By impersonating PayPal and claiming an account update is required, attackers hope to deceive targets into visiting a phishing page and providing login credentials.
Attackers Mimic ADFS Login Pages to Steal Credentials and Bypass MFA for Account Takeover
A phishing email spoofing IT notifications leads users to a fake ADFS login page, capturing credentials and MFA tokens to enable account takeover.