Attack Type: Credential Phishing

Credential phishing attacks are designed to steal your login information by tricking you into entering it on fake login pages. These emails impersonate trusted services like Microsoft 365, Google Workspace, or banking sites, using urgent phrases like “verify your account,” “prevent suspension,” or “view shared document” to push you into clicking.
Once you click the link, it leads to a fake login page that looks convincing. If you enter your credentials, the attacker captures them immediately. Common examples include phishing emails pretending to be DocuSign requests, Dropbox links, or HR file shares—things that feel routine but create a false sense of urgency.
Attackers often use real platforms like Microsoft Forms, Google Forms, or compromised websites to host these fake login pages, making the links appear legitimate and harder for security tools to catch. The damage doesn’t stop at just stealing your login. Once attackers gain access, they can move through your organization, steal sensitive data, send internal phishing emails, or even launch a ransomware attack.
Blog Posts
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Credential phishing Charles Schwab account holders with 2FA bypass · Blog · Sublime Security
Credential phishing Charles Schwab account holders with 2FA bypass · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Email Topic Modeling: Simplifying detection with ML-powered granularity · Blog · Sublime Security
Email Topic Modeling: Simplifying detection with ML-powered granularity · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
Tactics & Techniques (25):
Social engineering
Evasion
Impersonation: Employee
Impersonation: Brand
Lookalike domain
PDF
Image as content
Free file host
Open redirect
QR code
Spoofing
Free subdomain host
Free email provider
Impersonation: VIP
Scripting
Macros
Encryption
Out of band pivot
IPFS
HTML injection
HTML smuggling
OneNote
LNK
Exploit
Punycode
Detection Methods (20):
Content analysis
Natural Language Understanding
URL analysis
Sender analysis
Header analysis
Computer Vision
File analysis
HTML analysis
URL screenshot
Optical Character Recognition
QR code analysis
Whois
Exif analysis
YARA
Archive analysis
Javascript analysis
Macro analysis
Threat intelligence
OLE analysis
XML analysis
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Credential phishing: Generic document sharing
3d ago
Feb 14th, 2026
Sublime Security
Credential Phishing
BEC/Fraud
Social engineering
Evasion
Impersonation: Employee
Content analysis
Natural Language Understanding
URL analysis
Sender analysis
/feeds/core/detection-rules/credential-phishing-generic-document-sharing-9f0e1d2c
Brand impersonation: Punchbowl
4d ago
Feb 13th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-punchbowl-58937ba0
Brand impersonation: Amazon
4d ago
Feb 13th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-amazon-13fc967d
Russia return-path TLD (untrusted sender)
4d ago
Feb 13th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Malware/Ransomware
Header analysis
Sender analysis
/feeds/core/detection-rules/russia-return-path-tld-untrusted-sender-588b3954
Brand Impersonation: PayPal
4d ago
Feb 13th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Lookalike domain
Social engineering
Computer Vision
Content analysis
File analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-paypal-a6b2ceee
Credential phishing: Tax form impersonation with payment request
4d ago
Feb 13th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Impersonation: Brand
Social engineering
PDF
Content analysis
Header analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/credential-phishing-tax-form-impersonation-with-payment-request-717695cf
Brand impersonation: USPS
4d ago
Feb 13th, 2026
Sublime Security
Credential Phishing
Image as content
Impersonation: Brand
Social engineering
Computer Vision
Content analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/brand-impersonation-usps-28b9130a
Link: Credential theft with invisible Unicode character in page title from unsolicited sender
4d ago
Feb 13th, 2026
Sublime Security
Credential Phishing
Evasion
Social engineering
Natural Language Understanding
Content analysis
HTML analysis
URL analysis
URL screenshot
/feeds/core/detection-rules/link-credential-theft-with-invisible-unicode-character-in-page-title-from-unsolicited-sender-5fe14d53
Link: Suspicious SharePoint document name
4d ago
Feb 13th, 2026
Sublime Security
Credential Phishing
Free file host
Evasion
Content analysis
/feeds/core/detection-rules/link-suspicious-sharepoint-document-name-f95fee6e
File sharing link from suspicious sender domain
4d ago
Feb 13th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Free file host
Sender analysis
URL analysis
/feeds/core/detection-rules/file-sharing-link-from-suspicious-sender-domain-95f20354
Attachment: Self-sender PDF with minimal content and view prompt
5d ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
PDF
Social engineering
Evasion
Content analysis
File analysis
Sender analysis
/feeds/core/detection-rules/attachment-self-sender-pdf-with-minimal-content-and-view-prompt-07670a8c
Brand impersonation: Dropbox
5d ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
File analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-dropbox-61f11d12
Open redirect: embluemail.com
5d ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Open redirect
Sender analysis
URL analysis
/feeds/core/detection-rules/open-redirect-embluemailcom-48c5abd3
Brand impersonation: TikTok
5d ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Computer Vision
Content analysis
Header analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/brand-impersonation-tiktok-aaacc8b7
Link: PDF filename impersonation with credential theft language
5d ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Social engineering
Evasion
PDF
Content analysis
Natural Language Understanding
Header analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/link-pdf-filename-impersonation-with-credential-theft-language-05931513
Brand impersonation: Google Meet with malicious link
5d ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-google-meet-with-malicious-link-d488d85a
Attachment: QR code with recipient targeting and special characters
8d ago
Feb 9th, 2026
Sublime Security
Credential Phishing
QR code
Social engineering
Evasion
File analysis
QR code analysis
URL analysis
Computer Vision
/feeds/core/detection-rules/attachment-qr-code-with-recipient-targeting-and-special-characters-fc9e1c09
Brand impersonation: Navan
8d ago
Feb 9th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Spoofing
Sender analysis
Natural Language Understanding
URL analysis
Content analysis
/feeds/core/detection-rules/brand-impersonation-navan-3573e9a8
Reconnaissance: Empty subject with mismatched reply-to from new sender
11d ago
Feb 6th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Evasion
Social engineering
Spoofing
Header analysis
Sender analysis
/feeds/core/detection-rules/reconnaissance-empty-subject-with-mismatched-reply-to-from-new-sender-12f4bd45
Link: Suspicious go.php redirect with document lure
11d ago
Feb 6th, 2026
Sublime Security
Credential Phishing
Evasion
Social engineering
Content analysis
URL analysis
/feeds/core/detection-rules/link-suspicious-gophp-redirect-with-document-lure-f3d8c227
Page 1 of 25