How a Familiar Name Almost Led to a Costly Click: Breaking Down a Recent Phishing Attempt
- pvisupport
- Dec 3, 2025
- 2 min read
Earlier this month, our team received an alert about suspicious activity detected in one of our client's user accounts. What unfolded was a textbook example of how even the most vigilant employees can be caught off-guard when a phishing email looks just familiar enough.
What Happened?
This user had received what appeared to be a legitimate message from a vendor she regularly orders supplies from. The email referenced an outstanding balance and included an attached Excel file, nothing unusual based on her past interactions with the vendor and their invoicing process. Trusting the sender name, she opened the file and clicked a DocuSign link inside.
She then landed on a spoofed Microsoft 365 sign-in page and began to enter her company login credentials before noticing something just felt off, which led her to go back and double check the sender's domain. Then she immediately called the vendor to inquire if they had sent her an updated invoice, which they had not.
Simultaneously while the client was investigating things on her end, our team was able to connect with her directly, advise her of what was in fact happening, and begin investigating. What we discovered confirmed this was more than just a one-off phishing email! Sign-in logs revealed multiple attempts using an Axios / Cloud IOC user agent string originating from various locations. This indicated that an attacker had briefly gained access to her mailbox.
What We Did to Protect the Account:
We immediately moved into containment mode, revoking all active sessions and temporarily locking the account.
After giving her positive feedback on how she handled the situation, we contacted her vendor to alert them what had happened. They confirmed they were already aware of the issue and, shockingly, this was the second time they had been compromised this year.
To secure our client's user account and prevent any further unauthorized access, we implemented appropriate security measures, including blocking the sender domain for a set amount of time.
Takeaway: Familiar Doesn’t Always Mean Safe
This incident underscores a trend we’re seeing more often: attackers leveraging trusted business relationships to slip past our defenses. A sender name you know is no longer enough to guarantee legitimacy.
If something feels even slightly “off” a strange attachment, an unexpected request, or a login prompt that doesn’t look quite right, always pause and verify before proceeding. One quick check each time before you click, is all it takes.
