Disclaimer & Notice
This document contains sanitized phishing analysis case studies conducted on real-world email samples. All sensitive information—including email addresses, domains, URLs, IP addresses, and unique identifiers—has been redacted to protect privacy and prevent misuse.
A complete, unredacted version of this analysis is available upon request for hiring managers or security professionals who require full technical detail for evaluation purposes.
3-6-26 Malicious Spam / Phishing Lure – Romantic Sign-Up Redirect to [redacted-domain]
Verdict:
Malicious spam/phishing lure email.
Reasoning:
I received a message on 3-6-26 using romantic social engineering to entice the recipient into clicking a profile/signup link. The sender was [redacted-email], and the message claimed, “I’m excited to get to know you” and directed the recipient to “sign up.” The embedded link used [redacted-domain] as a redirector to conceal the final destination, [redacted-domain]/[redacted-domain], which included tracking parameters and the recipient email address. The message also used the same sender domain for the unsubscribe URL, which is consistent with bulk scam/phishing infrastructure. SPF passed for the sender domain, but that only shows the sending IP was authorized to send for that domain and does not make the message legitimate.
IOCs:
Sender: Ava <[redacted-email]>
Sender domain: [redacted-domain]
Reply-To: [redacted-email]
Source IP: [redacted-ip]
HELO host: [redacted-domain]
Redirect host: [redacted-domain]
Landing domain: [redacted-domain]
Landing path: /[redacted-domain]
Unsubscribe domain: [redacted-domain]
Subject: Let’s start getting to know each other.
Action:
Block/quarantine message, block listed domains/IP as appropriate, and report infrastructure to registrar/network abuse contacts. Retain the redirect and landing URLs as campaign IOCs and search for additional messages using the same sender domain, source IP, redirector, or landing domain.
3-6-26 Malicious Spam / Phishing Lure – Old Photos Social Engineering Redirect to [redacted-domain]
I received a message on 3-6-26 using old-acquaintance social engineering to get the reader to click a link in the body of the email, claiming to be old photos of us from when we worked together. The sender “William Seabolt” did not match the email address [redacted-email], there was plenty of blank space at the end of the email, followed by a quote, which is common in phishing emails, and the link also contained an alternate port “8443. It passed email protocols likely due to using an IPv6 address that appears to belong to a Microsoft-owned network range, which could mean a hacked account.
IOCs
[redacted-email]
[redacted-domain]
[redacted-domain]
[redacted-ipv6]
Action:
Block/quarantine message, block listed domains/IP as appropriate, and report infrastructure to registrar/network abuse contacts. Retain the redirect and landing URLs as campaign IOCs and search for additional messages using the same sender domain, source IP, redirector, or landing domain.
3-12-26 Malicious Spam / Phishing Lure – Romantic Sign-Up Redirect to [redacted-domain]
I received an email on March 12, 2026, that uses romantic social engineering to get readers to click a link in the body. The email was from [redacted-email], and the unsubscribe link uses the [redacted-domain] domain, but the email contained my email and tracking info. The inbody link uses an [redacted-domain] redirect link to a [redacted-domain] domain, both of which I’ve seen in malicious emails before. The in-body link also contained my email and tracking info, along with [redacted-domain].
IOCs
[redacted-email]
[redacted-domain]
[redacted-domain]
[redacted-domain]
[redacted-ip]
Action:
Block/quarantine message, block listed domains/IP as appropriate, and report infrastructure to registrar/network abuse contacts.
3-20-26 Malicious Spam / Phishing Lure – Romantic Sign-Up Redirect to [redacted-domain]
Verdict:
Malicious spam/phishing lure email.
Reasoning:
I received a message using social engineering to get the reader to click a link that redirects to a malicious domain on 3-20-2026. The redirect link also contains my email and tracking information. Google authentication reported “error in processing during lookup of [redacted-email]: DNS error”
IOCs:
Sender: [redacted-email]
Sender domain: [redacted-domain]
Source IP: [redacted-ip]
Redirect host: [redacted-domain]
Landing domain: [redacted-domain]
Action:
Block/quarantine message, block listed domains/IP as appropriate, and report infrastructure to registrar/network abuse contacts.
3-21-26 Malicious Spam / Phishing Lure – Romantic Sign-Up Redirect to [redacted-domain]
Verdict:
Malicious spam/phishing lure email.
Reasoning:
I received a message using romantic social engineering to trick readers into clicking a signup link on 3-21-26. The link uses a redirect chain to conceal a young landing page with phishing/malicious detections noted in VirusTotal.
IOCs:
Sender: [redacted-email]
Sender domain: [redacted-domain]
Source IP: [redacted-ip]
Redirect host: [redacted-domain]
Landing domain: [redacted-domain]
Action:
Block/quarantine message, block listed domains/IP as appropriate, and report infrastructure to registrar/network abuse contacts.
3-24-26 Malicious Spam / Phishing Lure – “Photos of You” Link to [redacted-domain]
Verdict:
Phishing / malicious link.
Reasoning:
I received an email from an old coworker talking about sharing old photos, but the display name didn’t match the sender address and contained little text along with a suspicious external URL that included a non-standard HTTPS port and token-like path. The message also appears to use excessive blank space and a possibly compromised Microsoft Office account. The host [redacted-domain] showed positive for malicious content on VIRUSTOTAL.
IOC:
Sender: [redacted-email]
Display name: William Seabolt
Subject: Re: Both weekends (next)
URL: [redacted-url]
Host: [redacted-domain]
Domain: [redacted-domain]
Port: 8443
Action:
Block the URL/host, search for other emails with the same sender/subject/domain, and check whether any user clicked the link. Treat the sender account/domain as potentially compromised and escalate for further investigation.
[redacted-domain] – clean
[redacted-ip] – Russian clean
[redacted-domain] – 13/94 security vendors flagged this domain as malicious – [redacted-domain]
[redacted-domain] – clean low ommunity score