Phishing Threat Database

How do we catch these threats?

The Cofense Phishing Detection Center (PDC) acts as a SOC-as-a-service, supporting thousands of leading organizations. With over 35 million trained users and real-time threat reporting, our platform combines automated analysis with expert verification, ensuring reliable and efficient protection. Here, you’ll find real-world phishing emails that bypassed even advanced security measures, posing risks to revenue and reputation.

Mimecast

Phishing Email Example Description:
Document-themed emails found in environments protected by Mimecast, Proofpoint, Microsoft ATP, and Cisco IronPort deliver Syncro RAT via an embedded URL. Syncro RAT delivers Splashtop and ConnectWise RAT.

Posted On: August 27, 2025 Tactic: Link Theme: Document

Microsoft ATP

Phishing Email Example Description:
Document-themed emails found in environments protected by Mimecast, Proofpoint, Microsoft ATP, and Cisco IronPort deliver Syncro RAT via an embedded URL. Syncro RAT delivers Splashtop and ConnectWise RAT.

Posted On: August 27, 2025 Tactic: Link Theme: Document

Proofpoint

Phishing Email Example Description:
Document-themed emails found in environments protected by Mimecast, Proofpoint, Microsoft ATP, and Cisco IronPort deliver Syncro RAT via an embedded URL. Syncro RAT delivers Splashtop and ConnectWise RAT.

Posted On: August 27, 2025 Tactic: Link Theme: Document

Cisco IronPort

Phishing Email Example Description:
Document-themed emails found in environments protected by Mimecast, Proofpoint, Microsoft ATP, and Cisco IronPort deliver Syncro RAT via an embedded URL. Syncro RAT delivers Splashtop and ConnectWise RAT.

Posted On: August 27, 2025 Tactic: Link Theme: Document

Microsoft ATP

Phishing Email Example Description:
JYP Entertainment-spoofing campaign found in environments protected by Microsoft ATP delivers an archive containing a Python Installer via an embedded URL. The Python Installer delivers Lone None Stealer.

Posted On: August 26, 2025 Tactic: Link Theme: Spoofing

Cisco IronPort

Phishing Email Example Description:
Booking.com-spoofing emails found in environments protected by Cisco IronPort deliver an embedded link to a fake CAPTCHA that prompts the victim to run a malicious PowerShell script from the clipboard. The malicious script delivers a DotNETLoader that runs IsabellaWine Remote Access Trojan.

Posted On: August 24, 2025 Tactic: Link Theme: Spoofing

Microsoft ATP

Phishing Email Example Description:
Finance-themed emails found in environments protected by Microsoft ATP deliver N-Able via an embedded link.

Posted On: August 22, 2025 Tactic: Link Theme: Finance

Cisco IronPort

Phishing Email Example Description:
Finance-themed emails found in environments protected by Cisco IronPort deliver a URL Shortcut File via an embedded URL. The URL Shortcut File delivers an LNK Downloader which delivers a WSF script. The WSF script delivers a Malicious Batch script that exfiltrates information and delivers a Python based Installer. The Python based Installer runs DcRAT and Anarchy RAT in memory.

Posted On: August 20, 2025 Tactic: Link Theme: Finance

Cisco IronPort

Phishing Email Example Description:
Republic of Colombia Labor Court-spoofing emails found in environments protected by Cisco IronPort deliver an attached SVG file that contains an embedded link to a password protected archive file that contains DcRAT.

Posted On: August 20, 2025 Tactic: SVG Attachment Theme: Spoofing

Proofpoint

Phishing Email Example Description:
Invitation-themed emails found in environments protected by Proofpoint deliver an embedded link that downloads SimpleHelp RAT.

Posted On: August 19, 2025 Tactic: Link Theme: Invitation