Latest Email Attack Simulations

THREAT KNOWLEDGE BASE

Case studies of email-based attacks publicly disclosed in 2025-2026 — covering kill chain, email signals, Vigilyx detection modules and mitigation. Suitable for analyst training and red-/blue-team exercises.

8case studies2025-2026threat intelVigilyxdetection map

Case studies of email-based attacks publicly disclosed in 2025-2026, sourced from CISA, Microsoft Threat Intelligence, Mandiant, Proofpoint, Cisco Talos, FBI IC3, Sophos, and Abnormal Security. Each case follows the same template.

All samples are sanitized and intended only for security research, detection evaluation, and anti-phishing training.

Case index

01High

ClickFix / Fake CAPTCHA payload delivery

Fake CAPTCHA tricks the user into pasting PowerShell, bypassing attachment scans.

Social engLOLBin

Proofpoint · CISA · Microsoft2024–2025Open case

02Critical

Storm-2372 device-code phishing

Abuses Microsoft OAuth device-code flow — victim authorizes the attacker on the real login page.

OAuthMFA bypass

Microsoft Threat Intelligence2025-02Open case

03High

Quishing / QR-code phishing

QR images carry the phishing URL, bypassing classic link detection.

QR codeObfuscation

Cisco Talos · Sophos2024–2025Open case

04High

HTML text cloaking & homoglyph evasion

Zero-width chars + HTML entities + display:none make every keyword regex miss.

Zero-widthHomoglyphObfuscation

Microsoft · Cofense · Sophos2024–2025Open case

05Critical

HTML smuggling for ransomware loaders

HTML attachments rebuild the binary inside the browser via JavaScript Blob URLs.

HTML smugglingLoader

Microsoft · Mandiant · HP Wolf2024–2025Open case

06Critical

Tycoon 2FA / EvilProxy AiTM phishing

Man-in-the-middle proxy steals session cookies in real time — MFA bypassed.

AiTM proxyMFA bypass

Proofpoint · Mandiant · Sekoia2024–2025Open case

07High

VEC vendor account takeover (BEC)

Invoice fraud sent from a real vendor mailbox — DMARC/SPF all pass.

BECAccount takeoverInvoice fraud

FBI IC3 · Abnormal Security2024–2025Open case

08High

TOAD callback phishing

Plain-text email lures the victim to call a fake hotline; agent then walks them into RMM install or OAuth device code.

CallbackVoice social engRMM takeoverSocial eng

Proofpoint · Cisco Talos · CISA2024–2025Open case

Interactive animations

Every case study embeds a play/pause/step attack-chain animation. The animation auto-detects the active VitePress locale, so switching between English and 简体中文 swaps every step label. The final step always shows what Vigilyx detected and how it intervened.

Vigilyx detection coverage

Every case study ends with a Vigilyx detection coverage section that maps the attack technique to specific engine modules and source files. These are not marketing promises, they are real code paths with unit-test coverage that you can verify in the GitHub repo.

Update cadence

• Major events (CISA alerts, Microsoft blogs, public APT reports) added within a week
• Existing cases get an "Update log" section appended when significant new attribution or IOC information is published
• Old cases are kept as long-term reference material rather than deleted