logo

The Password Reset That Came From an Auth0 Dev Tenant

ID: 1f7a18bb-84d9-56f8-a95c-a5d4419f4c54

STIX ID: report--1f7a18bb-84d9-56f8-a95c-a5d4419f4c54

Feed Name: IRONSCALES

Threat Score
75/100

Date Published: 2026-05-22

Date Updated: 2026-06-21

Author: [email protected] (Audian Paxson)

...
...

A high-severity credential-harvesting campaign used a compromised M365 account to send legitimate-looking Auth0 password reset emails that link to a dev-prefixed Auth0 tenant (dev-gb18votbfqwgpba7.us.auth0.com) configured to collect credentials. Standard authentication checks (SPF/DKIM/DMARC/ARC) passed, making URL reputation and protocol checks ineffective; behavioral analysis flagged the first-time sender and generic content, leading to quarantine.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.