(TLP:CLEAR) Threat Awareness – Credential Phishing Scam Spoofs Security Alerts

Summary: Palo Alto’s Unit42 has observed phishing activity disguised as email security alerts spoofing the recipient’s domain. The message body pretends to be an “upgraded Secure Message system” which has blocked several seemingly important emails and instructs recipients to confirm or release pending messages by clicking a button. The button directs the recipient to a fake webmail login page pre-filled with the recipient’s email address to enter their password.

Analyst Note: WaterISAC recommends utilities advise end users of this current phishing tactic as part of security awareness efforts. This phishing scam leverages common social engineering tactics of faking urgency and credibility to trick users into acting without verifying with IT or cybersecurity support staff. Utilities are encouraged to provide advance notice to end users when certain technology upgrades might result in new behavior, what that behavior might look like, and for users to pause and ask questions before acting on anything before support staff are able to verify.

Original Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-11-07-IOCs-for-phishing-activity-spoofing-spam-filters.txt

Additional Reading:

• Phishing emails disguised as spam filter alerts are stealing logins

Related WaterISAC PIRs: 6, 6.1, 10, 12