Dralvia logo
DralviaAutonomous Security
Dralvia Research
Archive/daily

Category Spotlight: email identity login

June 10, 2026

Reporting window: 2026-06-09 to 2026-06-10

Why this page exists

each post has its own canonical slug so the blog archive does not collapse into one repeated URL
metadata is rendered from the post itself so search and sharing surfaces see the actual title and summary
brand references describe impersonation targets and copied trust cues, not confirmed compromises
Back to archiveRun a scan

Impersonated brands

No stable impersonated brand set was generated for this window.

Common lure

Password reset or account verification prompt, Wallet recovery or seed-phrase lure

Teams to brief

SOC, incident-response, endpoint, and email-security teams, IAM, helpdesk, and cloud identity administrators

Attack path

Staged payload or malware-delivery links, Redirect chains into the final lure

Processing snapshot

In plain English, this was a day where attacker-controlled web content remained visible enough to analyze directly. That usually means the risk was not only raw feed noise, but also live lure pages, credential-harvesting flows, or impersonation infrastructure that a real user could encounter.

Feed records

3,286,059

Unique suspicious URLs

19,982

Enriched observations

350

Notable findings

31

Delivery URLs

19,162

What stood out

  • - Impersonation pressure centered on email identity login, credential harvesting. That means these themes appeared more often than others in the enriched portion of the window, not that every suspicious URL was part of the same campaign.
  • - Targeting pressure concentrated on identity, credential harvesting. In practice, this suggests attackers were reusing lure ideas and infrastructure around those sectors more often than around others.
  • - 19,162 of the unique suspicious URLs looked like delivery infrastructure. In practice, that means the URL or its feed context pointed more strongly to payload delivery or staged malware distribution than to a normal browsing flow.

What to watch for

  • - Direct download links ending in .sh, .exe, .zip, especially when a user is pushed toward the file before any believable account, payment, update, or support workflow is established.
  • - Raw IP or IP:port download hosts serving scripts, binaries, or archives without a normal branded website around them. These are often disposable delivery points rather than legitimate customer-facing services.
  • - Lure pages or messages that lean on email identity login, credential harvesting themes while also pushing an urgent verification step, software update, wallet action, or downloaded archive. That blend of impersonation and delivery is often what gets people to click.

Category Spotlight: email identity login

Reporting window: 2026-06-09 to 2026-06-10

Impersonation activity remained active in this reporting window; Dralvia observed 112 suspicious pages across 19,982 unique suspicious URLs and 350 enriched observations.

Dralvia observed recurring activity around email identity login, credential harvesting in this reporting window. Top targeted sectors for this spotlight: identity, credential harvesting. Hosting concentration for the same category centered on no dominant hosting provider.

Processing Snapshot

  • Feed records processed: 3,286,059
  • Unique suspicious URLs: 19,982
  • Enriched page observations: 350
  • Suspicious pages: 112
  • Notable observations: 31
  • Delivery URLs: 19,162
  • Source count: 2

What This Window Means

In plain English, this was a day where attacker-controlled web content remained visible enough to analyze directly. That usually means the risk was not only raw feed noise, but also live lure pages, credential-harvesting flows, or impersonation infrastructure that a real user could encounter.

What We Processed

  • Dralvia ingested 3,286,059 raw feed records from urlhaus (3232059), openphish (54000). These are sightings and submissions from external feeds, so repeated sightings of the same target can appear more than once at this stage.
  • After normalization and deduplication, those raw records collapsed into 19,982 unique suspicious URLs for the reporting window. This is the cleaner count of distinct suspicious destinations, not the noisier feed-ingest total.
  • Dralvia completed 354 scans across 352 targets and extracted 350 enriched observations. 31 of those observations were strong enough to promote into analyst-facing notable findings.

What Changed

  • Suspicious-page volume decreased by 53 compared with the previous window.
  • Payload or download delivery infrastructure decreased by 141 URLs.

Executive Takeaway

Attackers most often leaned on unknown. Common lures included password reset or account verification prompt. Defenders should review suspicious sign-ins, password resets, and MFA or account-verification events tied to the impersonated workflows.

Who Attackers Impersonated

Brand references below describe attacker impersonation targets or abused workflows, not compromised organizations.

  • No stable impersonated brand set was generated for this window.

Why Big Brands Show Up

Brand names in this report indicate attacker-selected trust cues. They usually surface when a phishing campaign copies a workflow people already recognize, such as sign-in, order, delivery, or wallet recovery.

Top Impersonation / Targeting Themes

  • Unknown (316 observed pages)
  • Email, SSO, and account-login impersonation (27 observed pages)
  • Credential-harvesting login flows (6 observed pages)
  • Web3 wallet and token lures (1 observed pages)

What Stood Out

  • Impersonation pressure centered on email identity login, credential harvesting. That means these themes appeared more often than others in the enriched portion of the window, not that every suspicious URL was part of the same campaign.
  • Targeting pressure concentrated on identity, credential harvesting. In practice, this suggests attackers were reusing lure ideas and infrastructure around those sectors more often than around others.
  • 19,162 of the unique suspicious URLs looked like delivery infrastructure. In practice, that means the URL or its feed context pointed more strongly to payload delivery or staged malware distribution than to a normal browsing flow.
  • The most common payload types were .sh, .exe, .zip. These extensions matter because they often map to shell scripts, archives, or Windows executables that are used as first-stage delivery mechanisms.
  • Feed labeling was dominated by malware download. That does not prove every sample is identical, but it does indicate that the external feeds themselves mostly saw this window as a delivery-oriented or malware-oriented day.
  • 14,653 delivery URLs were served directly from raw IP hosts rather than named domains. That pattern is common in throwaway hosting and short-lived delivery chains because it avoids the work of standing up a believable branded site.

Who Should Care

  • IAM, helpdesk, and Microsoft 365 / Google Workspace administrators
  • SOC, IAM, and incident-response teams
  • Web3 security, wallet-support, and community operations teams
  • SOC, endpoint, and email-security teams watching staged payload delivery

Targeted Internal Functions

  • SOC, incident-response, endpoint, and email-security teams (19168 observed pages)
  • IAM, helpdesk, and cloud identity administrators (81 observed pages)
  • Web3 security, wallet-support, and community operations teams (2 observed pages)

Common Lure Patterns

  • Password reset or account verification prompt (54 observed pages)
  • Wallet recovery or seed-phrase lure (1 observed pages)

Initial Access / Technique Notes

  • Credential-harvesting flows were present through login or password-entry pages.
  • Seed-phrase or wallet-recovery harvesting signals were observed.
  • Suspicious delivery URLs pointed to staged payload, loader, or malware-delivery infrastructure.
  • Redirect chains were used to move users toward the final lure or delivery destination.

How To Read The Numbers

  • `Feed records processed` means the raw feed sightings Dralvia pulled in from urlhaus (3232059), openphish (54000). Multiple feeds, repeated submissions, or repeated sightings can all raise this number without creating a new destination.
  • `Unique suspicious URLs` means the deduplicated set after normalization. In this window, 3,286,059 feed records reduced to 19,982 distinct suspicious URLs that were worth tracking as separate destinations.
  • `Scans completed` means Dralvia actually inspected 354 targets or pages in this window instead of only storing feed hits.
  • `Enriched observations` means Dralvia extracted usable page or infrastructure evidence from 350 scans, such as redirect behavior, page traits, hosting data, hashes, or classification signals.
  • `Notable findings` means 31 observations were strong enough to promote into evidence worth showing to analysts, reports, or screenshots, instead of being left as background telemetry.

Attack Path Snapshot

  • Staged payload or malware-delivery links (19162 observed pages)
  • Redirect chains into the final lure (219 observed pages)
  • Credential-harvesting login flows (10 observed pages)
  • Wallet approval or seed-phrase harvesting (1 observed pages)

What To Watch For

  • Direct download links ending in .sh, .exe, .zip, especially when a user is pushed toward the file before any believable account, payment, update, or support workflow is established.
  • Raw IP or IP:port download hosts serving scripts, binaries, or archives without a normal branded website around them. These are often disposable delivery points rather than legitimate customer-facing services.
  • Lure pages or messages that lean on email identity login, credential harvesting themes while also pushing an urgent verification step, software update, wallet action, or downloaded archive. That blend of impersonation and delivery is often what gets people to click.
  • Multi-stage lures that mix impersonation language with payload delivery, update prompts, archive downloads, or fake troubleshooting steps. The combination is often more important than any single indicator.

What Defenders Should Check Now

  • review suspicious sign-ins, password resets, and MFA or account-verification events tied to the impersonated workflows
  • review browser, email, and proxy telemetry for unexpected .exe, archive, script, or direct-download activity
  • hunt for new messages, domains, and pages reusing the dominant theme around unknown
  • check redirect chains and short-lived destinations that move users from a lure page into a final login or download step

Next Steps For Teams

  • Review browser, email, chat, and proxy telemetry for unexpected .sh, .exe, .zip downloads delivered outside normal software-distribution channels.
  • Alert on direct-to-IP downloads and direct-to-IP redirects, especially when the destination serves an archive, script, or executable instead of a normal application page.
  • Treat 'urgent update', 'verification required', and 'document package' download lures as possible first-stage delivery chains, not just harmless file-sharing events.

Featured Evidence

  • http://betvole9038.com/bins/sora.x86 | Redirect chain into final lure | evidence score 100. Why it matters: Treat this as a unknown sample using redirect chain into final lure and verify matching user workflows.

Concrete Examples

  • http://betvole9038.com/bins/sora.x86 | unknown | Redirect chain into final lure | risk Avoid. Defender relevance: Treat this as a unknown sample using redirect chain into final lure and verify matching user workflows.
  • http://cat.xiaoshabi.nl/mon.txt | unknown | Redirect chain into final lure | risk Avoid. Defender relevance: Treat this as a unknown sample using redirect chain into final lure and verify matching user workflows.
  • http://facebook.mumbaiairlines.com/ | credential harvesting | lure Password reset or account verification prompt | Credential-harvesting flow behind redirect chain | risk Avoid. Defender relevance: Treat this as a credential-harvesting login flows sample using credential-harvesting flow behind redirect chain and verify matching user workflows.

Analyst Notes

  • abuse pressure on .com
  • shared favicon reuse across suspicious pages
  • ASN overlap across suspicious infrastructure
  • Reused TLD pressure centered on .com, .garden, .hu.
  • Delivery-tag overlap included elf, mozi, mirai.
  • Identity provider overlap included sso.
Category Spotlight: email identity login | Dralvia Research