Skip to main content

Phishing Threat Database

How do we catch these threats?

The Cofense Phishing Detection Center (PDC) acts as a SOC-as-a-service, supporting thousands of leading organizations. With over 35 million trained users and real-time threat reporting, our platform combines automated analysis with expert verification, ensuring reliable and efficient protection. Here, you’ll find real-world phishing emails that bypassed even advanced security measures, posing risks to revenue and reputation.

Cisco IronPort

Hermes Germany-spoofing emails found in environments protected by Cisco IronPort deliver N-Able via an embedded link.

Posted On: February 10, 2026 Tactic: Embedded Link Theme: Spoofing

Check Point

Benefits-themed emails found in environments protected by Microsoft ATP and Check Point deliver Credential Phishing via an attached PDF containing a QR Code.

Posted On: February 9, 2026 Tactic: QR Code Theme: Benefits

Proofpoint

MetLife-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver Faronics Deploy via an embedded URL.

Posted On: February 6, 2026 Tactic: Embedded Link Theme: Spoofing

Microsoft ATP

MetLife-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver Faronics Deploy via an embedded URL.

Posted On: February 6, 2026 Tactic: Embedded Link Theme: Spoofing

Microsoft ATP

Benefits-themed emails found in environments protected by Microsoft ATP deliver an attached PDF with a link to download a VBS script. The VBS script runs Remcos RAT in memory.

Posted On: February 4, 2026 Tactic: Attachment Theme: Benefits

Microsoft ATP

Voicemail-themed emails found in environments protected by Microsoft ATP deliver an attached HTML file that downloads a JSDropper. The JSDropper delivers a DotNETLoader and Babylon RAT. Additional payloads were found at the time of analysis.

Posted On: February 4, 2026 Tactic: Attachment Theme: Voicemail

Proofpoint

Invitation-themed emails found in environments protected by Microsoft ATP and Proofpoint deliver either Credential Phishing or Ninite Loader via an embedded URL. Ninite Loader delivers ConnectWise RAT.

Posted On: February 3, 2026 Tactic: Embedded Link Theme: Invitation

Microsoft ATP

Invitation-themed emails found in environments protected by Microsoft ATP and Proofpoint deliver either Credential Phishing or Ninite Loader via an embedded URL. Ninite Loader delivers ConnectWise RAT.

Posted On: February 3, 2026 Tactic: Embedded Link Theme: Invitation

Cisco IronPort

Docusign-spoofing emails found in environments protected by Cisco IronPort deliver an embedded link to TrustConnect.

Posted On: January 30, 2026 Tactic: Embedded Link Theme: Spoofing

Proofpoint

Social Security-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver ConnectWise RAT via an embedded URL.

Posted On: January 29, 2026 Tactic: Embedded Link Theme: Spoofing

Microsoft ATP

Social Security-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver ConnectWise RAT via an embedded URL.

Posted On: January 29, 2026 Tactic: Embedded Link Theme: Spoofing

Cisco IronPort

Benefits-themed emails found in environments protected by Cisco IronPort and Microsoft ATP deliver an attached PDF with a link to download a JSDropper. The JSDropper downloads and runs a PowerShell Script which drops and runs a DotNETLoader and XWorm RAT.

Posted On: January 27, 2026 Tactic: Attachment Theme: Benefits