The URL That Put adobe.com in the Wrong Place

**Executive summary:** IRONSCALES detected a targeted credential-harvesting phishing campaign (April 2026) that used URL path deception—embedding 'adobe.com' in the path of reviewdocpdfreader.com—to impersonate a trusted brand and lure a construction-supplier employee into clicking a malicious link; the email originated from a Yahoo account, resolved via Cloudflare, carried an SCL of 5, and included IOCs such as the domain reviewdocpdfreader.com and the deceptive path, mapped to MITRE T1566.002, T1036.005, and T1608.005.