The Password Reset That Came From an Auth0 Dev Tenant
ID: 1f7a18bb-84d9-56f8-a95c-a5d4419f4c54
STIX ID: report--1f7a18bb-84d9-56f8-a95c-a5d4419f4c54
Feed Name: IRONSCALES
Threat Score
A high-severity credential-harvesting campaign used a compromised M365 account to send legitimate-looking Auth0 password reset emails that link to a dev-prefixed Auth0 tenant (dev-gb18votbfqwgpba7.us.auth0.com) configured to collect credentials. Standard authentication checks (SPF/DKIM/DMARC/ARC) passed, making URL reputation and protocol checks ineffective; behavioral analysis flagged the first-time sender and generic content, leading to quarantine.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
