Cofense Intelligence has identified an active phishing campaign exploiting excitement around the FIFA World Cup 2026 to deliver a sophisticated malware family known as Voidrift. The campaign is notable for its high degree of personalization. Each email is tailored with the recipient's name, their company's name, and even the company's logo embedded directly into the image of the free t-shirt, indicating that threat actors invested meaningful reconnaissance effort before launching attacks.
These emails claim to offer exclusive World Cup t-shirts through a fabricated FIFA partnership with the recipient's employer, creating a sense of urgency and legitimacy designed to compel clicks. The campaign has successfully bypassed three widely deployed secure email gateways (SEGs), Cisco IronPort, Microsoft ATP, and Abnormal Security. This means that traditional email security controls cannot be relied upon to stop this campaign. To make prevention even more difficult the Voidrift binary is hosted on a legitimate domain. Once delivered, the Voidrift malware is engineered to resist analysis and operate with an unusually low detection footprint, making it difficult for security teams to identify and respond to infections. The combination of convincing social engineering, targeted personalization, proven gateway evasion, and a stealthy payload make this a high-priority threat warranting immediate attention.
Figure 1: Highly customized email delivering Voidrift malware.
This World Cup-themed Voidrift campaign demonstrates how quickly threat actors adapt major global events into highly convincing phishing lures. By combining extensive reconnaissance, company-specific branding, legitimate hosting infrastructure, and malware engineered to evade detection, attackers are creating campaigns that can bypass traditional email security controls and successfully target even security-conscious organizations. As these personalized attacks continue to grow in sophistication, organizations need more than automated defenses alone to identify and stop threats before they reach users.
Cofense Intelligence provides early warning of emerging phishing campaigns through Flash Alerts like this one, giving security teams advance notice of new tactics, techniques, and procedures (TTPs) before they reach more inboxes. In this case, the campaign bypassed Cisco IronPort, Microsoft ATP, and Abnormal Security, meaning organizations relying solely on those gateways had no protection. Cofense's human-reported phishing intelligence, which is sourced from real inboxes rather than perimeter controls, would have allowed security teams to identify the threat despite gateway evasion.
To learn how Cofense can help your organization detect and stop advanced phishing attacks like this Voidrift campaign, visit www.cofense.com.