GitHub Trends
Project Radar
- Red team toolr4tur1/NullPhishHTML · 24 stars
- Dual-use projectphishdestroy/destroylistHTML · 919 stars
- Blue team toolsublime-security/sublime-rulesYAML · 364 stars
Research DeskLatest update June 12, 202652 research entries
Independent Research Desk
Phishing Tradecraft · Infrastructure · Detection Engineering
PhishPond researches how modern phishing operations are built, run, and detected — campaign evolution, adversary infrastructure, phishing kits, OAuth and device-code abuse, AiTM frameworks, and the detection and validation workflows that catch them.
Recurring Intel
Attack-Side Tradecraft
Campaign tradecraft, lure mechanics, adversary infrastructure, identity pressure, and operator workflows worth modeling.
12 attack-side readsDetection Engineering
Detection engineering, telemetry analysis, reporting workflows, and validation that security teams can operationalize.
30 detection readsAPT Tradecraft
Emerging procedures, tooling, initial-access patterns, and cross-team tradecraft from real-world actor reporting.
10 tradecraft readsGitHub Trends
New Today
Lead Research
The phishing lesson is that attackers do not always need a fresh credential when a trusted app token already has delegated access.
Persistent OAuth grants let third-party apps keep operating after the original login, password reset, or employee lifecycle event has faded from view.
Read more:The Hacker NewsMicrosoft Learn
Live Collection
Finance workflows remain exposed when trust signals come from compromised inboxes.
Read more:The Hacker News
Read more:The Hacker News
Read more:BleepingComputer
Trusted suppliers and developer channels can carry phishing risk past normal filters.
Read more:The Hacker News
Identity and session abuse can turn a single successful lure into account takeover.
Read more:CISA Advisories
An automated phishing tool with 35 templates (Updated version of zphisher) . This Tool is made for educational purpose only ! Author will not be responsible for any misuse of this toolkit ! Primary language: HTML. 24 stars.
Open project:GitHub
#ethical-hacking#ethical-hacking-tools#hack#hacking
Real-time phishing & scam domain blocklist — 130k+ curated threats, 888K+ community, free API, multiple formats Primary language: HTML. 919 stars.
Open project:GitHub
#anti-phishing#blacklist#blocklist#crypto-scam
Sublime rules for email attack detection, prevention, and threat hunting. Primary language: YAML. 364 stars.
Open project:GitHub
#email-security#phishing#threat-hunting
TweetFeed collects Indicators of Compromise (IOCs) shared by the infosec community at Twitter. Here you will find malicious URLs, domains, IPs, and SHA256/MD5 hashes. 660 stars.
Open project:GitHub
#blueteam#malware#malware-detection#malware-research
Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication Primary language: Go. 5 stars.
Open project:GitHub
Coverage Map
Specific campaigns, actor activity, and the lures behind them.
How techniques work end-to-end — walkthroughs and operator workflows.
Adversary infrastructure: kits, AiTM, redirectors, and sending abuse.
Detection engineering, telemetry, validation, and response.
Longer research notes, measurement, and periodic briefs.
Search Tool
Search titles, authors, tags, and body text across the PhishPond research archive.
Showing 38 matching entries.Clear search
Field Analysis
A fake recruiter asking a candidate to review an MVP repo shows why unsolicited source code is not a document. It is an executable threat surface with access to developer secrets.
Field Analysis
Scammers abusing a real Microsoft account-alert sender are part of a wider pattern: attackers are turning legitimate SaaS notification workflows into authenticated phishing infrastructure.
Read more:TechCrunchAbnormal AI
Field Analysis
Arctic Wolf's June 2 follow-up describes the Kali365 operator expanding well beyond Microsoft 365: Okta SSO, Xerox DocuShare, AWS-style endpoints, and a Russian-language cluster including MAX Messenger account takeover via real SMS OTPs. Proofpoint's research places the kit inside a broader cluster of AI-generated device-code lookalikes.
Read more:Arctic Wolf LabsProofpoint
Field Analysis
Mailbox rules, OAuth grants, replayed sessions, RMM agents, and downstream account changes are not the aftermath of an intrusion — they are the point. A field guide to the persistence layer most response playbooks still treat as cleanup.
Read more:FBI IC3The Hacker News
Field Analysis
Runtimes, platforms, and brands rotate every quarter. The six handoffs that move a victim from manufactured urgency to durable persistence have barely changed in five years, and they are what defenders can actually build for.
Read more:FBI IC3Microsoft Security Blog
Field Analysis
SentinelOne's writeup of the SHub Reaper macOS stealer shows the ClickFix family adapting to platform hardening. When macOS Tahoe 26.4 closed the Terminal-based path, the operators moved to the applescript:// URL scheme and Script Editor instead.
Read more:SentinelOneBleepingComputer
Field Analysis
Chrome's Device Bound Session Credentials, now generally available and on by default for Workspace, tie session cookies to a device's security chip so a stolen cookie is useless off the machine it came from. Here is what it stops and what it does not.
Read more:Google Security BlogBleepingComputer
Field Analysis
Recent exploitation of CVE-2026-35616 turned FortiClient EMS into a malware delivery channel, pushing an EKZ credential stealer through trusted endpoint management paths.
Read more:Arctic WolfArctic Wolf
Field Analysis
A reported exploitation wave against Ghost CMS pushed malicious JavaScript onto more than 700 sites, sending visitors into fake verification flows that used ClickFix-style paste-and-run instructions.
Read more:The Hacker NewsMalwarebytes Labs