logo

A Medicare Attestation Request Sent Through Salesforce, Authenticated by the Victim's Own Domain

ID: 7089660b-99ea-54bc-bc66-218781698b00

STIX ID: report--7089660b-99ea-54bc-bc66-218781698b00

Feed Name: IRONSCALES

Threat Score
70/100

Date Published: 2026-06-13

Date Updated: 2026-06-13

Author: [email protected] (Audian Paxson)

...
...

Attackers leveraged a compromised or malicious Salesforce CRM to send an internally routed Medicare attestation email that passed SPF/DKIM/DMARC and linked to nexaroco.com, which hosted an Office 365 credential-harvesting page; the report includes IOCs (sender email, Salesforce SMTP hostname, sending IP, phishing domain), detection notes, and MITRE mappings.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.