logo

A One-Line Curiosity Hook Sent a K-12 Teacher to a Same-Day Phishing Domain on Port 8443

ID: bc7bc872-df31-5bb6-812c-5632a134b91b

STIX ID: report--bc7bc872-df31-5bb6-812c-5632a134b91b

Feed Name: IRONSCALES

Threat Score
70/100

Date Published: 2026-06-23

Date Updated: 2026-06-23

Author: [email protected] (Audian Paxson)

...
...

An active credential-harvesting phishing campaign targeted a K–12 educator with a one-sentence curiosity lure that used display-name impersonation from a legitimate foreign Microsoft 365 tenant and a same-day-registered domain (dgfpruf.com) serving a phishing page over port 8443 with a randomized subdomain and tokenized path; authentication (SPF/DKIM/DMARC) passed, enabling the message to appear legitimate. The report documents the IOCs (dgfpruf.com, gekdr.dgfpruf.com, https://gekdr.dgfpruf.com:8443/AacAYRXS), explains why behavioral detection flagged the message, and recommends blocking sub-24-hour domains, flagging display-name/From mismatches, and quarantining context-free single-link emails.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.