Attack Type: Credential Phishing

Credential phishing attacks are designed to steal your login information by tricking you into entering it on fake login pages. These emails impersonate trusted services like Microsoft 365, Google Workspace, or banking sites, using urgent phrases like “verify your account,” “prevent suspension,” or “view shared document” to push you into clicking.
Once you click the link, it leads to a fake login page that looks convincing. If you enter your credentials, the attacker captures them immediately. Common examples include phishing emails pretending to be DocuSign requests, Dropbox links, or HR file shares—things that feel routine but create a false sense of urgency.
Attackers often use real platforms like Microsoft Forms, Google Forms, or compromised websites to host these fake login pages, making the links appear legitimate and harder for security tools to catch. The damage doesn’t stop at just stealing your login. Once attackers gain access, they can move through your organization, steal sensitive data, send internal phishing emails, or even launch a ransomware attack.
Blog Posts
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Credential phishing Charles Schwab account holders with 2FA bypass · Blog · Sublime Security
Credential phishing Charles Schwab account holders with 2FA bypass · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Email Topic Modeling: Simplifying detection with ML-powered granularity · Blog · Sublime Security
Email Topic Modeling: Simplifying detection with ML-powered granularity · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
Tactics & Techniques (25):
Social engineering
Impersonation: Brand
Evasion
Free subdomain host
Lookalike domain
Encryption
PDF
QR code
Image as content
Free file host
Impersonation: Employee
HTML smuggling
Scripting
Free email provider
Spoofing
Open redirect
Impersonation: VIP
OneNote
Macros
LNK
Out of band pivot
IPFS
HTML injection
Exploit
Punycode
Detection Methods (20):
Content analysis
Header analysis
Natural Language Understanding
URL analysis
HTML analysis
Computer Vision
Sender analysis
File analysis
YARA
Exif analysis
QR code analysis
Optical Character Recognition
Archive analysis
Macro analysis
URL screenshot
Javascript analysis
Threat intelligence
Whois
OLE analysis
XML analysis
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Link: Personal SharePoint with invalid recipients and credential theft language
16m ago
Jan 23rd, 2026
Sublime Security
Credential Phishing
Social engineering
Content analysis
Header analysis
Natural Language Understanding
URL analysis
/feeds/core/detection-rules/link-personal-sharepoint-with-invalid-recipients-and-credential-theft-language-79d5403d
Brand impersonation: File sharing notification with template artifacts
16m ago
Jan 23rd, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Evasion
HTML analysis
Computer Vision
Content analysis
Header analysis
/feeds/core/detection-rules/brand-impersonation-file-sharing-notification-with-template-artifacts-37d89611
Link: Tycoon2FA phishing kit (non-exhaustive)
12h ago
Jan 23rd, 2026
Sublime Security
Credential Phishing
Free subdomain host
Evasion
Credential Phishing
URL analysis
HTML analysis
Content analysis
/feeds/core/detection-rules/link-tycoon2fa-phishing-kit-non-exhaustive-a070d4e2
Service abuse: Adobe legitimate domain with document approval language
15h ago
Jan 23rd, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Social engineering
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/service-abuse-adobe-legitimate-domain-with-document-approval-language-237f4da4
Link: Suspicious URL with recipient targeting and special characters
21h ago
Jan 22nd, 2026
Sublime Security
Credential Phishing
Social engineering
Evasion
URL analysis
Content analysis
/feeds/core/detection-rules/link-suspicious-url-with-recipient-targeting-and-special-characters-e808be3a
Fake voicemail notification (untrusted sender)
1d ago
Jan 22nd, 2026
Sublime Security
Credential Phishing
Social engineering
Content analysis
Natural Language Understanding
Sender analysis
URL analysis
/feeds/core/detection-rules/fake-voicemail-notification-untrusted-sender-74ba7787
Brand impersonation: Dropbox
1d ago
Jan 22nd, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
File analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-dropbox-61f11d12
Brand impersonation: AuthentiSign
2d ago
Jan 21st, 2026
Sublime Security
Credential Phishing
BEC/Fraud
Impersonation: Brand
Lookalike domain
Social engineering
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-authentisign-445a8c8b
Attachment: Password-protected PDF with fake document indicators
2d ago
Jan 21st, 2026
Sublime Security
Malware/Ransomware
Credential Phishing
Encryption
Evasion
PDF
File analysis
YARA
Exif analysis
/feeds/core/detection-rules/attachment-password-protected-pdf-with-fake-document-indicators-b45e4440
Attachment: PDF with recipient email in link
2d ago
Jan 21st, 2026
Sublime Security
Credential Phishing
PDF
QR code
Encryption
Social engineering
File analysis
QR code analysis
URL analysis
/feeds/core/detection-rules/attachment-pdf-with-recipient-email-in-link-0399d08f
Brand impersonation: Blockchain[.]com
2d ago
Jan 21st, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Lookalike domain
Social engineering
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-blockchaincom-0d85e555
Attachment: QR code with recipient targeting and special characters
2d ago
Jan 21st, 2026
Sublime Security
Credential Phishing
QR code
Social engineering
Evasion
File analysis
QR code analysis
URL analysis
Computer Vision
/feeds/core/detection-rules/attachment-qr-code-with-recipient-targeting-and-special-characters-fc9e1c09
Link: Display text with excessive right-to-left mark characters
2d ago
Jan 21st, 2026
Sublime Security
Credential Phishing
Evasion
Content analysis
URL analysis
/feeds/core/detection-rules/link-display-text-with-excessive-right-to-left-mark-characters-a45cfd4c
Link: Self-sent message with quarterly document review request
2d ago
Jan 21st, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Social engineering
Evasion
Content analysis
Header analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/link-self-sent-message-with-quarterly-document-review-request-3c42cec6
Brand impersonation: Fake Fax
2d ago
Jan 21st, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Image as content
Free file host
Free subdomain host
Social engineering
Computer Vision
Content analysis
Optical Character Recognition
Sender analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-fake-fax-2a96b90a
Link: Excessive URL rewrite encoders
2d ago
Jan 21st, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Encryption
Evasion
URL analysis
Content analysis
/feeds/core/detection-rules/link-excessive-url-rewrite-encoders-b88e53a7
Brand impersonation: USPS
3d ago
Jan 20th, 2026
Sublime Security
Credential Phishing
Image as content
Impersonation: Brand
Social engineering
Computer Vision
Content analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/brand-impersonation-usps-28b9130a
Impersonation: Internal corporate services
3d ago
Jan 20th, 2026
Sublime Security
Credential Phishing
Impersonation: Employee
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/impersonation-internal-corporate-services-3cd04f33
Link: Breely link masquerading as PDF
7d ago
Jan 16th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Free subdomain host
Social engineering
Content analysis
URL analysis
/feeds/core/detection-rules/link-breely-link-masquerading-as-pdf-4a498c21
Brand impersonation: Xodo Sign
7d ago
Jan 16th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-xodo-sign-e6139052
Page 1 of 25