Skip to main content

Phishing Threat Database

How do we catch these threats?

The Cofense Phishing Detection Center (PDC) acts as a SOC-as-a-service, supporting thousands of leading organizations. With over 35 million trained users and real-time threat reporting, our platform combines automated analysis with expert verification, ensuring reliable and efficient protection. Here, you’ll find real-world phishing emails that bypassed even advanced security measures, posing risks to revenue and reputation.

Cisco IronPort

Finance-themed emails found in environments protected by Cisco Ironport and Microsoft ATP deliver an attached PDF that contains a link to a WSF script. When run, the WSF is used to a chain of a JSDropper, Malicious Batch Script, Python Installer, and VBS scripts that run multiple instances of DcRAT, Async RAT, Pure RAT, and Venom RAT in memory. At the time of analysis, additional payloads from other campaigns have been found.

Posted On: April 10, 2026 Tactic: PDF Attachment Theme: Finance

Microsoft ATP

Finance-themed emails found in environments protected by Cisco Ironport and Microsoft ATP deliver an attached PDF that contains a link to a WSF script. When run, the WSF is used to a chain of a JSDropper, Malicious Batch Script, Python Installer, and VBS scripts that run multiple instances of DcRAT, Async RAT, Pure RAT, and Venom RAT in memory. At the time of analysis, additional payloads from other campaigns have been found.

Posted On: April 10, 2026 Tactic: PDF Attachment Theme: Finance

Cisco IronPort

Australian Taxation Office-spoofing, taxes-themed emails found in environments protected by Cisco IronPort and Microsoft ATP deliver an attached PDF that contains an embedded link to a Malicious Downloader. The downloader is used to deliver ConnectWise RAT.

Posted On: April 9, 2026 Tactic: PDF Attachment Theme: Spoofing

Microsoft ATP

Australian Taxation Office-spoofing, taxes-themed emails found in environments protected by Cisco IronPort and Microsoft ATP deliver an attached PDF that contains an embedded link to a Malicious Downloader. The downloader is used to deliver ConnectWise RAT.

Posted On: April 9, 2026 Tactic: PDF Attachment Theme: Spoofing

Microsoft ATP

Finance-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver a JSDropper via an embedded URL. The JSDropper drops and runs a PowerShell Script which delivers a DotNETLoader and Agent Tesla Keylogger.

Posted On: April 8, 2026 Tactic: Embedded Link Theme: Finance

Proofpoint

Finance-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver a JSDropper via an embedded URL. The JSDropper drops and runs a PowerShell Script which delivers a DotNETLoader and Agent Tesla Keylogger.

Posted On: April 8, 2026 Tactic: Embedded Link Theme: Finance

Cisco IronPort

IRS-spoofing, taxes-themed, campaign found in environments protected by Cisco IronPort and Trend Micro delivers ConnectWise RAT via an embedded URL.

Posted On: April 7, 2026 Tactic: Embedded Link Theme: IRS-Spoofing

Trend Micro

IRS-spoofing, taxes-themed, campaign found in environments protected by Cisco IronPort and Trend Micro delivers ConnectWise RAT via an embedded URL.

Posted On: April 7, 2026 Tactic: Embedded Link Theme: IRS-Spoofing

Cisco IronPort

IRS-spoofing, taxes-themed, campaign found in environments protected by Cisco IronPort delivers ConnectWise RAT via an embedded URL.

Posted On: April 6, 2026 Tactic: Embedded Link Theme: IRS-Spoofing

Microsoft ATP

Response-themed emails found in environments protected by Microsoft ATP and Proofpoint deliver an embedded link to an archive file containing a Malicious Batch Script that delivers ConnectWise RAT.

Posted On: April 3, 2026 Tactic: Embedded Link Theme: Response

Microsoft ATP

Response-themed emails found in environments protected by Microsoft ATP and Proofpoint deliver an embedded link to an archive file containing a Malicious Batch Script that delivers ConnectWise RAT.

Posted On: April 3, 2026 Tactic: Embedded Link Theme: Response

Abnormal Security

Benefits-themed emails found in environments protected by Abnormal Security, Mimecast, and Microsoft ATP deliver an attached PDF file that contains a QR code to a credential phishing site.

Posted On: April 2, 2026 Tactic: QR Code Theme: Benefits