Threat Alert: Click Here to Unsubscribe

• Credential phishing threats frequently use financial-themed lures to deliver malicious links that lead to credential harvesters.
• Links are often promptly displayed for users to engage, but sometimes they are cleverly hidden.

How is it used in the wild?

• The initial message contains offers for financial services.
• The offer encourages the recipient to respond to the email, providing a WhatsApp number as an alternative contact.
• It is important to remember that contacting the threat actor may lead to a type of advanced fee fraud attack.
• Threat actors also hide a malicious URL in the “unsubscribe” button. If selected, the link leads to a credential harvester, personalized with details from the recipient’s domain.
• Notably, the URL adds legitimacy. It appears to use a link tracking service, which is typical in unsubscribe links.
  

Key Action: Stay Alert!

• Be wary of unsolicited offers for financial services, as they can often lead to scams.
• Exercise caution if being directed to change the conversation method. A common tactic for threat actors is to move conversations to a different platform, like WhatsApp or Signal.
• Remember, legitimate unsubscribe links may ask you for your email, but should not require a password.
• Report ANY suspicious emails via Phish Alarm.