Phishing Threat Database

How do we catch these threats?

The Cofense Phishing Detection Center (PDC) acts as a SOC-as-a-service, supporting thousands of leading organizations. With over 35 million trained users and real-time threat reporting, our platform combines automated analysis with expert verification, ensuring reliable and efficient protection. Here, you’ll find real-world phishing emails that bypassed even advanced security measures, posing risks to revenue and reputation.

Microsoft ATP

Phishing Email Example Description:
Finance-themed emails found in environments protected by Microsoft ATP deliver an attached archive with a spoofed header containing FormBook.

Posted On: August 6, 2025 Tactic: GZ Attachment Theme: Finance

Proofpoint

Phishing Email Example Description:
Macfarlanes LLP-spoofing emails found in environments protected by Proofpoint deliver a link to download a Python Installer which runs PureLogs Stealer and Quasar RAT in memory.

Posted On: August 4, 2025 Tactic: Link Theme: Spoofing

Cisco IronPort

Phishing Email Example Description:
Finance-themed emails found in environments protected by Microsoft ATP and Cisco IronPort deliver PDQ Connect RAT via an embedded URL.

Posted On: August 4, 2025 Tactic: Link Theme: Finance

Microsoft ATP

Phishing Email Example Description:
Finance-themed emails found in environments protected by Microsoft ATP and Cisco IronPort deliver PDQ Connect RAT via an embedded URL.

Posted On: August 4, 2025 Tactic: Link Theme: Finance

Mimecast

Phishing Email Example Description:
Finance-themed campaign found in environments protected by Mimecast delivers Byakugan via a link embedded in an attached PDF file. Byakugan downloads additional modules.

Posted On: August 1, 2025 Tactic: PDF Attachment Theme: Finance

Microsoft ATP

Phishing Email Example Description:
Notification-themed emails found in environments protected by Mimecast and Microsoft ATP verify access to an embedded URL using the recipient's email address before delivering either ConnectWise RAT or Credential Phishing based on the browser.

Posted On: July 31, 2025 Tactic: Link Theme: Notification

Mimecast

Phishing Email Example Description:
Notification-themed emails found in environments protected by Mimecast and Microsoft ATP verify access to an embedded URL using the recipient's email address before delivering either ConnectWise RAT or Credential Phishing based on the browser.

Posted On: July 31, 2025 Tactic: Link Theme: Notification

Microsoft ATP

Phishing Email Example Description:
Finance-themed emails found in environments protected by Microsoft ATP and Cisco IronPort deliver a password-protected archive via an embedded URL. The password-protected archive contains JSDropper which delivers and runs XWorm RAT.

Posted On: July 30, 2025 Tactic: Link Theme: Finance

Cisco IronPort

Phishing Email Example Description:
Finance-themed emails found in environments protected by Microsoft ATP and Cisco IronPort deliver a password-protected archive via an embedded URL. The password-protected archive contains JSDropper which delivers and runs XWorm RAT.

Posted On: July 30, 2025 Tactic: Link Theme: Finance

Cisco IronPort

Phishing Email Example Description:
Voicemail-themed emails found in environments protected by Cisco IronPort deliver an attached HTML which downloads an archive file containing a JavaScript file. When run, the script delivers a DotNETLoader that runs Babylon RAT.

Posted On: July 28, 2025 Tactic: HTML Attachment Theme: Voicemail