Attack Type: Credential Phishing

Credential phishing attacks are designed to steal your login information by tricking you into entering it on fake login pages. These emails impersonate trusted services like Microsoft 365, Google Workspace, or banking sites, using urgent phrases like “verify your account,” “prevent suspension,” or “view shared document” to push you into clicking.
Once you click the link, it leads to a fake login page that looks convincing. If you enter your credentials, the attacker captures them immediately. Common examples include phishing emails pretending to be DocuSign requests, Dropbox links, or HR file shares—things that feel routine but create a false sense of urgency.
Attackers often use real platforms like Microsoft Forms, Google Forms, or compromised websites to host these fake login pages, making the links appear legitimate and harder for security tools to catch. The damage doesn’t stop at just stealing your login. Once attackers gain access, they can move through your organization, steal sensitive data, send internal phishing emails, or even launch a ransomware attack.
Blog Posts
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Credential phishing Charles Schwab account holders with 2FA bypass · Blog · Sublime Security
Credential phishing Charles Schwab account holders with 2FA bypass · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Email Topic Modeling: Simplifying detection with ML-powered granularity · Blog · Sublime Security
Email Topic Modeling: Simplifying detection with ML-powered granularity · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
Tactics & Techniques (25):
Social engineering
Free file host
PDF
Free subdomain host
Impersonation: Brand
Evasion
Lookalike domain
Image as content
Exploit
HTML smuggling
Spoofing
Open redirect
QR code
Free email provider
Encryption
OneNote
Scripting
Impersonation: Employee
Impersonation: VIP
Macros
LNK
Out of band pivot
IPFS
HTML injection
Punycode
Detection Methods (20):
Natural Language Understanding
Sender analysis
Content analysis
URL analysis
File analysis
Optical Character Recognition
Exif analysis
Header analysis
Computer Vision
Whois
HTML analysis
YARA
Archive analysis
URL screenshot
Threat intelligence
QR code analysis
Javascript analysis
Macro analysis
OLE analysis
XML analysis
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Credential phishing: 'Secure message' and engaging language
3d ago
Mar 27th, 2026
Sublime Security
Credential Phishing
Social engineering
Natural Language Understanding
Sender analysis
Service abuse: Behance document sharing with suspicious language
3d ago
Mar 27th, 2026
Sublime Security
Credential Phishing
Free file host
Social engineering
Content analysis
URL analysis
Attachment: PDF bid/proposal lure with credential theft indicators
3d ago
Mar 27th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
PDF
Social engineering
Free file host
Free subdomain host
File analysis
Content analysis
Optical Character Recognition
Natural Language Understanding
URL analysis
Exif analysis
Credential phishing: Financial lure via ActiveCampaign infrastructure
3d ago
Mar 27th, 2026
Sublime Security
Credential Phishing
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
Brand impersonation: Robinhood
4d ago
Mar 26th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Sender analysis
URL analysis
Link: Non-standard port 8443 in display URL
4d ago
Mar 26th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
URL analysis
Lookalike sender domain (untrusted sender)
5d ago
Mar 25th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Malware/Ransomware
Lookalike domain
Social engineering
Sender analysis
Brand impersonation: USPS
5d ago
Mar 25th, 2026
Sublime Security
Credential Phishing
Image as content
Impersonation: Brand
Social engineering
Computer Vision
Content analysis
Natural Language Understanding
Sender analysis
Credential phishing: Fake card notification with tracking lure
6d ago
Mar 24th, 2026
Sublime Security
Credential Phishing
Social engineering
Content analysis
Natural Language Understanding
URL analysis
Sender analysis
Link: Financial account issue with suspicious indicators
6d ago
Mar 24th, 2026
Sublime Security
Credential Phishing
Free file host
Free subdomain host
Social engineering
Content analysis
Natural Language Understanding
URL analysis
Whois
Cloud storage impersonation with credential theft indicators
7d ago
Mar 23rd, 2026
Sublime Security
Credential Phishing
Free file host
Image as content
Impersonation: Brand
Social engineering
Computer Vision
Content analysis
Header analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
URL analysis
Credential phishing: Suspicious subject with urgent financial request and link
7d ago
Mar 23rd, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
Brand impersonation: Meta and subsidiaries
10d ago
Mar 20th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Lookalike domain
Social engineering
Header analysis
Sender analysis
Brand Impersonation: Procore
10d ago
Mar 20th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Sender analysis
Link: Free file hosting with undisclosed recipients
11d ago
Mar 19th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Free file host
Free subdomain host
Evasion
Header analysis
URL analysis
Sender analysis
Natural Language Understanding
Service abuse: Substack credential theft with confusable characters and branded button redirects
11d ago
Mar 19th, 2026
Sublime Security
Credential Phishing
Social engineering
Evasion
Sender analysis
HTML analysis
Natural Language Understanding
URL analysis
Brand impersonation: DocSend
12d ago
Mar 18th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Lookalike domain
Social engineering
Header analysis
Sender analysis
Attachment: PDF contains W9 or invoice YARA signatures
12d ago
Mar 18th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
PDF
Social engineering
File analysis
YARA
Service abuse: Domains By Proxy sender
12d ago
Mar 18th, 2026
Sublime Security
Spam
Credential Phishing
BEC/Fraud
Evasion
Social engineering
Header analysis
Sender analysis
Link: PDF display text with fake copyright claim template
12d ago
Mar 18th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
Image as content
PDF
Content analysis
HTML analysis
Page 1 of 25