- Credential Phishing
Attack Type: Credential Phishing
Credential phishing attacks are designed to steal your login information by tricking you into entering it on fake login pages. These emails impersonate trusted services like Microsoft 365, Google Workspace, or banking sites, using urgent phrases like “verify your account,” “prevent suspension,” or “view shared document” to push you into clicking.
Once you click the link, it leads to a fake login page that looks convincing. If you enter your credentials, the attacker captures them immediately. Common examples include phishing emails pretending to be DocuSign requests, Dropbox links, or HR file shares—things that feel routine but create a false sense of urgency.
Attackers often use real platforms like Microsoft Forms, Google Forms, or compromised websites to host these fake login pages, making the links appear legitimate and harder for security tools to catch. The damage doesn’t stop at just stealing your login. Once attackers gain access, they can move through your organization, steal sensitive data, send internal phishing emails, or even launch a ransomware attack.
Blog Posts
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits
Credential phishing Charles Schwab account holders with 2FA bypass
Detecting malicious AnonymousFox email messages sent from compromised sites
Talking phish over turkey
Hidden credential phishing within EML attachments
Living Off the Land: Credential Phishing via Docusign abuse
Living Off the Land: Callback Phishing via Docusign comment
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics
Email Topic Modeling: Simplifying detection with ML-powered granularity
QR Code Phishing: Decoding Hidden Threats
Tactics & Techniques (11):
Detection Methods (12):
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Xero Infrastructure Abuse | 6h ago May 23rd, 2025 | Sublime Security | /feeds/core/detection-rules/xero-infrastructure-abuse-918c4bd3 | |
Link: Direct Link to keap.app contact-us page | 6h ago May 23rd, 2025 | Sublime Security | /feeds/core/detection-rules/link-direct-link-to-keapapp-contact-us-page-a7a69267 | |
Link: Direct link to Zoom Docs from Non-Zoom Sender | 1d ago May 22nd, 2025 | Sublime Security | /feeds/core/detection-rules/link-direct-link-to-zoom-docs-from-non-zoom-sender-5c6362db | |
Brand impersonation: DocuSign | 2d ago May 21st, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-docusign-4d29235c | |
Link: Multistage Landing - Scribd Document | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-scribd-document-afa9807d | |
Canva Design With Suspicious Embedded Link | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/canva-design-with-suspicious-embedded-link-02959e22 | |
Corporate Services Impersonation Phishing | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/corporate-services-impersonation-phishing-3cd04f33 | |
Attachment: Adobe image lure in body or attachment with suspicious link | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/attachment-adobe-image-lure-in-body-or-attachment-with-suspicious-link-1d7add81 | |
EML attachment with credential theft language (unknown sender) | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/eml-attachment-with-credential-theft-language-unknown-sender-00e06af1 | |
ClickFunnels link infrastructure abuse | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/clickfunnels-link-infrastructure-abuse-9192fbe9 | |
Brand impersonation: Microsoft | 8d ago May 15th, 2025 | @amitchell516 | /feeds/core/detection-rules/brand-impersonation-microsoft-6e2f04e6 | |
Brand Impersonation: Zoom | 8d ago May 15th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-zoom-5abad540 | |
Vendor Compromise: GovDelivery Message With Suspicious Link | 8d ago May 15th, 2025 | Sublime Security | /feeds/core/detection-rules/vendor-compromise-govdelivery-message-with-suspicious-link-0d2d5172 | |
Link: Multistage Landing - Ludus Presentation | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-ludus-presentation-a8b3c311 | |
Link: Multistage Landing - Published Google Doc | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-published-google-doc-031e1ff8 | |
Link: Scribd Fullscreen Link From Suspicious Sender | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/link-scribd-fullscreen-link-from-suspicious-sender-9e9bc972 | |
Fake email quarantine notification | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/fake-email-quarantine-notification-73f26a3d | |
Brand Impersonation: Meta and Subsidiaries | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-meta-and-subsidiaries-e38f1e3b | |
Brand impersonation: Amazon with suspicious attachment | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-amazon-with-suspicious-attachment-5751dcb9 | |
Salesforce Infrastructure Abuse | 14d ago May 9th, 2025 | Sublime Security | /feeds/core/detection-rules/salesforce-infrastructure-abuse-78a77c70 |