A Medicare Attestation Request Sent Through Salesforce, Authenticated by the Victim's Own Domain
ID: 7089660b-99ea-54bc-bc66-218781698b00
STIX ID: report--7089660b-99ea-54bc-bc66-218781698b00
Feed Name: IRONSCALES
Threat Score
Attackers leveraged a compromised or malicious Salesforce CRM to send an internally routed Medicare attestation email that passed SPF/DKIM/DMARC and linked to nexaroco.com, which hosted an Office 365 credential-harvesting page; the report includes IOCs (sender email, Salesforce SMTP hostname, sending IP, phishing domain), detection notes, and MITRE mappings.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
