Email Phishing Analysis Report

Summary of the Email Phishing Attacks

The report includes six diverse incidents. 

1. Spoofed FedEx Delivery Notification (PHISH002_2025)

   • Tactic: Impersonated FedEx using urgent messaging and Google Cloud hosting

   • IOC: URL hosted on storage.googleapis[.]com with a hidden JavaScript beacon

   • Success: The user reported the email before clicking – a testament to security awareness training

2. Fake Lido Airdrop Email (PHISH003_2025)

   • Tactic: Pretended to be a crypto airdrop from Lido.fi

   • Findings: Used a legitimate-sounding Microsoft subdomain (onmicrosoft[.]com) to pass SPF

   • Action: Blocked domain and link tracking via Postmark (pstmrk[.]it) to prevent spread

3. Microsoft Account Unusual Login Alert (PHISH004_2025)

   • Tactic: Fear-based spoofing of a Microsoft security alert

   • Innovation: Embedded mailto-reply trick disguised as a "Report the user" button

   • Detection: Tracking pixel used to confirm email open rate

4. Fake ProtonMail Shutdown Notice (PHISH005_2025)

   • Tactic: Impersonated ProtonMail with an urgent call to login

   • Clue: Email sent from a Gmail account (taoheed.lawal1984@gmail[.]com)

   • IOC: Malicious link redirected to a domain running a compromised WordPress site

5. McAfee Renewal Scam (PHISH006_2025)

   • Tactic: Fear-mongering around AV subscription expiry

   • Evading Defenses: Used Twitter shortened URLs to an obscure destination

   • Findings: Ultimately linked to a domain (cradletool[.]com) flagged as malicious

6. Credential Harvesting via HTML Attachment (PHISH008_2025)

   • Tactic: Generic email with attached spoofed Microsoft login page

   • Attachment: HTML file with embedded JS, attempting to collect user credentials

   • Mitre Mapping: T1566.001 - Spearphishing Attachment