logo

IRONSCALES

ID: a731b6e8-ffcd-5d5b-96fc-d8192e5f9035

STIX ID: identity--a731b6e8-ffcd-5d5b-96fc-d8192e5f9035

Feed Type: rss

Earliest post: 2026-03-21

Latest post: 2026-07-12

IRONSCALES Threat Intelligence is an email-security-focused research hub that publishes analyses of real-world phishing, BEC, credential theft, and other email-based attacks, along with the tactics behind them.

01/01/2020
07/14/2026
Title Date Published Describes IncidentAuthorVisible
A Phishing Link Wearing Two Security Vendors' Badges: Inside a Benefits-Enrollment Credential Lure2026-07-06True[email protected] (Audian Paxson)True
When Authentication Passes and Malware Still Walks In: A PE Hidden Inside an Inline PNG2026-07-05True[email protected] (Audian Paxson)True
The File Format Your Gateway Forgot: EPS Macros Hidden in a Logo ZIP2026-07-04True[email protected] (Audian Paxson)True
The Payroll Memo Whose Link You Could Not Scan: QR Code Quishing Buried in a Word Attachment2026-07-03True[email protected] (Audian Paxson)True
One Hyphen From Trusted: A Lookalike-Domain Vendor Impersonation That Beat the Eye and the Authentication Stack2026-07-02True[email protected] (Audian Paxson)True
Four Days Old, Fully Authenticated: CEO Coaching International Impersonation Targets a Sports Technology Company2026-07-01True[email protected] (Audian Paxson)True
Full Authentication Pass, Zero Legitimacy: How a 26-Day-Old Domain Ran ACH Fraud2026-06-30True[email protected] (Audian Paxson)True
Seized and Still Dangerous: IP-Literal Download Link, Netlify Credential Page, and a VIP Target2026-06-29True[email protected] (Audian Paxson)True
Legal Threat in Your Inbox: How a Gmail Shortlink Hides a Credential-Harvest Destination2026-06-28True[email protected] (Audian Paxson)True
Forged Healthcare Sender, Two-Hop SaaS Redirect: How a Fake Invoice Opens a Phishing Chain2026-06-27True[email protected] (Audian Paxson)True
A Construction Bid Invitation Hid a Compromised Website Behind a Legitimate-Looking PDF Label2026-06-26True[email protected] (Audian Paxson)True
A Compromised Vendor Account Sent an ACH Redirect With a Fabricated Closure Deadline and Mismatched Phone Numbers2026-06-25True[email protected] (Audian Paxson)True
A Free Gmail Account Impersonating an Internal Employee Asked Payroll to Change a Bank Account2026-06-24True[email protected] (Audian Paxson)True
A One-Line Curiosity Hook Sent a K-12 Teacher to a Same-Day Phishing Domain on Port 84432026-06-23True[email protected] (Audian Paxson)True
A Fake Scotiabank Voicemail Was Actually an HTML File Asking You to Call an Attacker2026-06-22True[email protected] (Audian Paxson)True
re: plans for party -- How a Compromised Argentine School Account Targeted K-12 in the U.S.2026-06-21True[email protected] (Audian Paxson)True
Three Security Wrappers, One Redirect to a Google Docs Phishing Page2026-06-20True[email protected] (Audian Paxson)True
The Government Card Alert That Lost Its Authentication in Transit2026-06-19True[email protected] (Audian Paxson)True
The Law Firm Document That Linked to a Cleaning Company2026-06-18True[email protected] (Audian Paxson)True
The Invoice Portal Link That Didn't Need a Password2026-06-17True[email protected] (Audian Paxson)True
The Invoice That Originated from the Wrong Continent2026-06-16True[email protected] (Audian Paxson)True
The Distribution Agreement That Arrived with a Thread Full of Latin2026-06-15True[email protected] (Audian Paxson)True
An Employment Verification Request That Passed DMARC REJECT, Then Sent Replies to Someone Else2026-06-14True[email protected] (Audian Paxson)True
A Medicare Attestation Request Sent Through Salesforce, Authenticated by the Victim's Own Domain2026-06-13True[email protected] (Audian Paxson)True
The FedEx Freight Invoice That Came From Inside the CRM2026-06-12True[email protected] (Audian Paxson)True
The Geek Squad Invoice That Forgot Which Brand It Was Pretending to Be2026-06-11True[email protected] (Audian Paxson)True
The Invoice Email With No Text to Scan: Image-Only Payload From a Compromised Account With a Broken ARC Chain2026-06-10True[email protected] (Audian Paxson)True
The Google Forms Editor Invite That Matched the Recipient's Name: Property Tax Survey as Social Engineering Pretext2026-06-09True[email protected] (Audian Paxson)True
Microsoft's Own Message Recall Agent Delivered a Credential Harvest2026-06-08True[email protected] (Audian Paxson)True
NetSuite Sent the Invoice. Oracle Signed It. The Payment Token Was the Weapon.2026-06-07True[email protected] (Audian Paxson)True
Four Domains, One Email: The DocuSign Homoglyph That Rode a CDR Allow-List2026-06-06True[email protected] (Audian Paxson)True
The Funding Approval That Passed Every Authentication Check2026-06-05True[email protected] (Audian Paxson)True
The PDF That Passed Every Scan Without Being Read2026-06-04True[email protected] (Audian Paxson)True
A Voicemail That Never Rang: How Attackers Chained Three ESPs to Launder Email Authentication2026-06-03True[email protected] (Audian Paxson)True
The Fire Safety Spec That Was Hiding Malware for Five Months2026-06-02True[email protected] (Audian Paxson)True
SPF Pass, DKIM Pass, DMARC Pass. Still Phishing.2026-06-01True[email protected] (Audian Paxson)True
McAfee Invoice Scam Weaponized a Google Calendar Invite 71 Minutes After Domain Registration2026-05-31True[email protected] (Audian Paxson)True
Three Google Domains, One Redirect Chain, and a Turkish Landing Page2026-05-30True[email protected] (Audian Paxson)True
The $47,320 Invoice That Came With a W-9 and a Personal Bank Account2026-05-29True[email protected] (Audian Paxson)True
The Collections Notice From a Fortune 500 Lab: Compromised Thermo Fisher Account via Oracle Cloud Relay2026-05-28True[email protected] (Audian Paxson)True
The Contract Email That Wasn't Spelled the Way You Think: Unicode Homoglyphs, a QR Code, and a Marketing Gateway2026-05-27True[email protected] (Audian Paxson)True
The Zoho Sign Request That Passed Every Check Except the Reply-To: Government Impersonation via E-Sign Infrastructure2026-05-26True[email protected] (Audian Paxson)True
The FedEx Email That Salesforce Authenticated and Qualtrics Delivered: Data Harvesting Through Three Layers of Trust2026-05-25True[email protected] (Audian Paxson)True
The SOC Alert That Came From a Compromised FinTech: An Authenticated BlueVine Sender Delivering a Typosquat Link Buried in Operational Context2026-05-24True[email protected] (Audian Paxson)True
The Datadog Alert That Came From the Wrong Domain: Authenticated Brand Impersonation With All Links Pointing to Real Infrastructure2026-05-23True[email protected] (Audian Paxson)True
The Password Reset That Came From an Auth0 Dev Tenant2026-05-22True[email protected] (Audian Paxson)True
The Warranty Form With a Windows Executable Hidden Inside a GIF2026-05-21True[email protected] (Audian Paxson)True
The SharePoint Share That Passed Every Check: A Compromised M365 Tenant With DMARC Reject and Tokenized Links2026-05-20True[email protected] (Audian Paxson)True
The Webinar Invite That Came With an Apple Wallet Pass and a Three-Hop Redirect Chain2026-05-19True[email protected] (Audian Paxson)True
The Spreadsheet That Arrived Twice: CR/LF Filename Obfuscation and a Base64 Shadow Payload2026-05-18True[email protected] (Audian Paxson)True

1–50 of 131