- Impersonation: Brand
Tactic or Technique: Impersonation: Brand
Brand impersonation is a phishing technique where attackers copy the look and feel of trusted companies to make their emails seem legitimate. They recreate logos, colors, templates, and writing styles to mimic well-known brands like Microsoft, Amazon, or PayPal and convince you to trust the message.
They often use lookalike domains to make the links seem real. That could be a small typo, a character swap, or a URL like secure-microsoft[.]com that looks legitimate at first glance. These tricks are meant to get past your defenses and make you more likely to click or respond.
The goal is usually to steal your credentials or convince you to take some kind of action. But over time, these attacks also make it harder to trust what you see in your inbox. Spotting them means looking closely—at the sender address, the way the message is written, and where the links actually go. The differences are subtle, but once you know what to look for, they stand out.
Blog Posts
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits
Credential phishing Charles Schwab account holders with 2FA bypass
Callback phishing via invoice abuse and distribution list relays
Talking phish over turkey
Living Off the Land: Callback Phishing via Docusign comment
Abusing Discord to deliver Agent Tesla malware
QR Code Phishing: Decoding Hidden Threats
Call Me Maybe? The Rise of Callback Phishing Emails
Detecting Credential Phishing using Deep Learning + MQL
Attack Types (5):
Detection Methods (11):
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Link: Direct link to Zoom Docs from Non-Zoom Sender | 1d ago May 22nd, 2025 | Sublime Security | /feeds/core/detection-rules/link-direct-link-to-zoom-docs-from-non-zoom-sender-5c6362db | |
Brand impersonation: DocuSign | 2d ago May 21st, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-docusign-4d29235c | |
Callback phishing via Intuit service abuse | 2d ago May 21st, 2025 | Sublime Security | /feeds/core/detection-rules/callback-phishing-via-intuit-service-abuse-f2fe1294 | |
Link: Multistage Landing - Scribd Document | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-scribd-document-afa9807d | |
Attachment: Adobe image lure in body or attachment with suspicious link | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/attachment-adobe-image-lure-in-body-or-attachment-with-suspicious-link-1d7add81 | |
Brand Impersonation: Zoom | 8d ago May 15th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-zoom-5abad540 | |
Brand impersonation: Microsoft | 8d ago May 15th, 2025 | @amitchell516 | /feeds/core/detection-rules/brand-impersonation-microsoft-6e2f04e6 | |
Vendor Compromise: GovDelivery Message With Suspicious Link | 8d ago May 15th, 2025 | Sublime Security | /feeds/core/detection-rules/vendor-compromise-govdelivery-message-with-suspicious-link-0d2d5172 | |
Link: Multistage Landing - Ludus Presentation | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-ludus-presentation-a8b3c311 | |
Brand Impersonation: Meta and Subsidiaries | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-meta-and-subsidiaries-e38f1e3b | |
Brand impersonation: Amazon with suspicious attachment | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-amazon-with-suspicious-attachment-5751dcb9 | |
Brand impersonation: Microsoft with low reputation links | 16d ago May 7th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6 | |
Brand impersonation: Microsoft with embedded logo and credential theft language | 16d ago May 7th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-microsoft-with-embedded-logo-and-credential-theft-language-3ee9ef3d | |
Microsoft Device Code Phishing | 16d ago May 7th, 2025 | @ajpc500 | /feeds/core/detection-rules/microsoft-device-code-phishing-61f3ae67 | |
Brand Impersonation: Microsoft Teams Invitation | 18d ago May 5th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-microsoft-teams-invitation-46410ad8 | |
HR Impersonation via E-sign Agreement Comment | 18d ago May 5th, 2025 | Sublime Security | /feeds/core/detection-rules/hr-impersonation-via-e-sign-agreement-comment-796c6f0f | |
Brand Impersonation: Mailchimp | 18d ago May 5th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-mailchimp-48b454c7 | |
Service Abuse: Adobe Sign Notification From an Unsolicited Reply-To Address | 23d ago Apr 30th, 2025 | Sublime Security | /feeds/core/detection-rules/service-abuse-adobe-sign-notification-from-an-unsolicited-reply-to-address-d00893ba | |
Brand impersonation: DocuSign branded attachment lure with no DocuSign links | 23d ago Apr 30th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-docusign-branded-attachment-lure-with-no-docusign-links-814a5694 | |
Link: Multistage Landing - Abuse Adobe Acrobat Hosted PDF | 25d ago Apr 28th, 2025 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-abuse-adobe-acrobat-hosted-pdf-609081ef |