phishing
Safeguard articles tagged "phishing" — guides, analysis, and best practices for software supply chain and application security.
22 articles
Business email compromise (BEC)
Business email compromise (BEC) tricks employees into wiring funds or data to attackers posing as executives or vendors. Here is how BEC fraud actually works.
Open redirect vulnerabilities explained
Open redirect flaws (CWE-601) score as medium severity alone, but they power real phishing campaigns against Google, Amex, and Microsoft. Here's how they work and how to stop them.
How Package Takeover via Maintainer Account Compromise Ac...
Attackers don't hack npm's servers — they phish or socially engineer maintainers. Here's how account takeover turns trusted packages into malware.
Open Redirect Vulnerabilities: How Attackers Abuse Them
An open redirect attack abuses a trusted domain's own redirect functionality to send victims to a malicious site — low severity on its own, but a key ingredient in phishing and OAuth token theft.
AI Deepfake Phishing Campaigns in 2025: When Seeing and Hearing Isn't Believing
AI-generated voice and video deepfakes powered a new wave of phishing campaigns in early 2025. The technology is cheap, the results are convincing, and defenses are lagging.
Email Security and Supply Chain Phishing Attacks
Phishing remains the top initial access vector for supply chain attacks. Targeted emails against developers, maintainers, and DevOps engineers open the door to code injection, credential theft, and pipeline compromise.
Dropbox Breach: Phishing Attack Exposes 130 Private GitHub Repositories
Attackers phished Dropbox employees by impersonating CircleCI, gaining access to 130 private GitHub repos containing internal code and credentials.
0ktapus: The Phishing Campaign That Hit Cloudflare, Twilio, and 130+ Organizations
A single phishing campaign compromised over 130 companies including Cloudflare and Twilio. Here's how the 0ktapus attack chain worked.
Azure AD Token Theft Campaigns: A 2022 Retrospective
Token theft is the quiet successor to credential phishing, and 2022 turned it into an industry. Here is what the year's Azure AD campaigns actually looked like.
Mailchimp Social Engineering Breach: How an Employee Hack Compromised Crypto Customers
A social engineering attack on Mailchimp employees gave attackers access to internal tools, which they used to target cryptocurrency companies and their customers in a downstream phishing campaign.