logo

The Invoice Portal Link That Didn't Need a Password

ID: 192b9bc5-e27f-53ab-bf66-80b216cb72e4

STIX ID: report--192b9bc5-e27f-53ab-bf66-80b216cb72e4

Feed Name: IRONSCALES

Threat Score
70/100

Date Published: 2026-06-17

Date Updated: 2026-06-17

Author: [email protected] (Audian Paxson)

...
...

An invoice phishing campaign spoofing Ecocert delivered Mailgun-authenticated emails containing a tokenized JWT link to a real billing portal (app.upflow.io) that allowed anyone with the URL to view invoices without logging in; the message included a PDF with an IBAN for a 380 EUR payment and a 1x1 tracking pixel confirming mailbox activity — four mailboxes were quarantined and the attack was flagged by Themis.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.