Attack Type: Credential Phishing

Credential phishing attacks are designed to steal your login information by tricking you into entering it on fake login pages. These emails impersonate trusted services like Microsoft 365, Google Workspace, or banking sites, using urgent phrases like “verify your account,” “prevent suspension,” or “view shared document” to push you into clicking.
Once you click the link, it leads to a fake login page that looks convincing. If you enter your credentials, the attacker captures them immediately. Common examples include phishing emails pretending to be DocuSign requests, Dropbox links, or HR file shares—things that feel routine but create a false sense of urgency.
Attackers often use real platforms like Microsoft Forms, Google Forms, or compromised websites to host these fake login pages, making the links appear legitimate and harder for security tools to catch. The damage doesn’t stop at just stealing your login. Once attackers gain access, they can move through your organization, steal sensitive data, send internal phishing emails, or even launch a ransomware attack.
Blog Posts
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Credential phishing Charles Schwab account holders with 2FA bypass · Blog · Sublime Security
Credential phishing Charles Schwab account holders with 2FA bypass · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Email Topic Modeling: Simplifying detection with ML-powered granularity · Blog · Sublime Security
Email Topic Modeling: Simplifying detection with ML-powered granularity · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
Tactics & Techniques (25):
PDF
Social engineering
Evasion
Impersonation: Brand
Open redirect
QR code
Spoofing
Impersonation: Employee
Image as content
Free file host
Free subdomain host
Lookalike domain
Free email provider
Impersonation: VIP
Scripting
Macros
Encryption
HTML smuggling
LNK
Out of band pivot
IPFS
HTML injection
OneNote
Exploit
Punycode
Detection Methods (20):
Content analysis
File analysis
Sender analysis
Header analysis
Computer Vision
Natural Language Understanding
Optical Character Recognition
URL analysis
QR code analysis
Whois
HTML analysis
Exif analysis
YARA
Archive analysis
Javascript analysis
Macro analysis
URL screenshot
OLE analysis
Threat intelligence
XML analysis
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment: Self-sender PDF with minimal content and view prompt
5h ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
PDF
Social engineering
Evasion
Content analysis
File analysis
Sender analysis
/feeds/core/detection-rules/attachment-self-sender-pdf-with-minimal-content-and-view-prompt-07670a8c
Brand impersonation: Dropbox
6h ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
File analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-dropbox-61f11d12
Brand impersonation: TikTok
6h ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Computer Vision
Content analysis
Header analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/brand-impersonation-tiktok-aaacc8b7
Open redirect: embluemail.com
6h ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Open redirect
Sender analysis
URL analysis
/feeds/core/detection-rules/open-redirect-embluemailcom-48c5abd3
Link: PDF filename impersonation with credential theft language
6h ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Social engineering
Evasion
PDF
Content analysis
Natural Language Understanding
Header analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/link-pdf-filename-impersonation-with-credential-theft-language-05931513
Brand impersonation: Google Meet with malicious link
7h ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-google-meet-with-malicious-link-d488d85a
Attachment: QR code with recipient targeting and special characters
3d ago
Feb 9th, 2026
Sublime Security
Credential Phishing
QR code
Social engineering
Evasion
File analysis
QR code analysis
URL analysis
Computer Vision
/feeds/core/detection-rules/attachment-qr-code-with-recipient-targeting-and-special-characters-fc9e1c09
Brand impersonation: Navan
3d ago
Feb 9th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Spoofing
Sender analysis
Natural Language Understanding
URL analysis
Content analysis
/feeds/core/detection-rules/brand-impersonation-navan-3573e9a8
Reconnaissance: Empty subject with mismatched reply-to from new sender
6d ago
Feb 6th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Evasion
Social engineering
Spoofing
Header analysis
Sender analysis
/feeds/core/detection-rules/reconnaissance-empty-subject-with-mismatched-reply-to-from-new-sender-12f4bd45
Link: Suspicious go.php redirect with document lure
6d ago
Feb 6th, 2026
Sublime Security
Credential Phishing
Evasion
Social engineering
Content analysis
URL analysis
/feeds/core/detection-rules/link-suspicious-gophp-redirect-with-document-lure-f3d8c227
Brand Impersonation: Disney
6d ago
Feb 6th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Computer Vision
Natural Language Understanding
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-disney-bf90b8fb
Link: URL shortener with copy-paste instructions and credential theft language
6d ago
Feb 6th, 2026
Sublime Security
Credential Phishing
Evasion
Social engineering
Content analysis
Natural Language Understanding
URL analysis
/feeds/core/detection-rules/link-url-shortener-with-copy-paste-instructions-and-credential-theft-language-a0a2c573
New link domain (<=10d) from untrusted sender
6d ago
Feb 6th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Sender analysis
URL analysis
Whois
/feeds/core/detection-rules/new-link-domain-less10d-from-untrusted-sender-4805b0e6
Link: SharePoint filename matches org name
6d ago
Feb 6th, 2026
Sublime Security
Credential Phishing
Impersonation: Employee
Social engineering
Content analysis
URL analysis
/feeds/core/detection-rules/link-sharepoint-filename-matches-org-name-cb954726
Brand impersonation: Microsoft Teams invitation
6d ago
Feb 6th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Header analysis
HTML analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-microsoft-teams-invitation-46410ad8
Brand impersonation: Microsoft Planner with suspicious link
6d ago
Feb 6th, 2026
Sublime Security
Credential Phishing
Evasion
Image as content
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-microsoft-planner-with-suspicious-link-ea363c08
Brand impersonation: Fake Fax
7d ago
Feb 5th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Image as content
Free file host
Free subdomain host
Social engineering
Computer Vision
Content analysis
Optical Character Recognition
Sender analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-fake-fax-2a96b90a
Credential phishing: Generic document sharing
7d ago
Feb 5th, 2026
Sublime Security
Credential Phishing
BEC/Fraud
Social engineering
Evasion
Impersonation: Employee
Content analysis
Natural Language Understanding
URL analysis
Sender analysis
/feeds/core/detection-rules/credential-phishing-generic-document-sharing-9f0e1d2c
Brand impersonation: DocuSign
7d ago
Feb 5th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Lookalike domain
Social engineering
Spoofing
Header analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-docusign-4d29235c
Brand impersonation: Zoom via lookalike domain
7d ago
Feb 5th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Free email provider
Social engineering
URL analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-zoom-via-lookalike-domain-b9d5e4b5
Page 1 of 25