The Collections Notice From a Fortune 500 Lab: Compromised Thermo Fisher Account via Oracle Cloud Relay

**Phishing via Compromised Corporate Account:** A high-severity phishing email was sent from a legitimate Thermo Fisher address ([email protected]) relayed through Oracle Cloud (147.154.59.193) with SPF/DKIM/DMARC passing; the message contained a generic collections lure and an attachment as the sole payload, indicating credential-harvesting and account takeover risk, and Themis quarantined it based on behavioral anomalies and language quality signals.