Threat Intelligence

Active threats targeting
UK organisations

Curated analysis of live phishing campaigns, attack techniques, and indicators of compromise. Updated by the PhishShield research team. No customer data is used in this feed.

1 critical advisories active

Last updated 19 Apr 2026

April 2026

Attack vector breakdown

Credential Harvesting

41%

O365, Google, banking and HR portal spoofs

Business Email Compromise

24%

CEO fraud, invoice redirection, supplier impersonation

Malware / Ransomware

16%

Malicious attachments and drive-by downloads

MFA Bypass (AiTM)

11%

Session hijacking via reverse proxy infrastructure

Smishing / Vishing

SMS lures and voice-based social engineering

Source: PhishShield platform intelligence & NCSC Q1 2026 report. Aggregated and fully anonymised.

Advisories

Live threat feed

TI-2026-041

19 Apr 2026

CriticalCredential HarvestingAll sectorsSMB

HMRC Self-Assessment Deadline Phishing Surge

Mass phishing campaign impersonating HMRC is targeting UK employees with fake tax refund and outstanding balance lures timed around the April deadline. Emails link to convincing gov.uk spoofs collecting National Insurance numbers and banking credentials.

Indicators of compromise

Sender domains: hmrc-refund-gov.co, tax-rebate-uk.com, hmrc-alert.net
Subject lines: 'HMRC: Tax refund available — claim now', 'Urgent: Unpaid tax balance'
Links redirect through bit.ly before landing on credential page

TI-2026-039

15 Apr 2026

HighMFA Bypass / AiTMFinanceLegalProfessional Services

Microsoft 365 MFA Fatigue — Adversary-in-the-Middle

Adversary-in-the-middle phishing campaign targeting Microsoft 365 accounts using a reverse proxy to capture session tokens after MFA completion. Victims are redirected to a convincing O365 login page that relays credentials in real time, bypassing MFA entirely.

Indicators of compromise

Sender domains mimicking IT helpdesk: it-support-[company].com
Proxy infrastructure hosted on bulletproof providers in Eastern Europe
Post-compromise: immediate inbox rules created to forward and delete inbound emails

TI-2026-037

11 Apr 2026

HighCredential HarvestingPropertyLegalFinanceHR

DocuSign Brand Abuse — Fake Contract Requests

Attackers are sending fraudulent DocuSign requests referencing real company names scraped from LinkedIn. Documents link to cloned DocuSign login pages harvesting credentials. Several UK law firms and estate agencies have reported incidents this month.

Indicators of compromise

Sender: [email protected] (not @docusign.com or @docusign.net)
Subject: '[Company Name] has sent you a document to review and sign'
Landing page URL pattern: docusign-[random].pages.dev

TI-2026-034

4 Apr 2026

HighBusiness Email CompromiseAll sectors

CEO Gift Card Fraud Targeting Finance Teams

Ongoing BEC campaign impersonating CEOs and MDs to request urgent gift card purchases from finance staff. Attackers use publicly available LinkedIn data to identify and personalise requests. Average reported loss per incident in the UK: £1,400.

Indicators of compromise

Display name spoofing — CEO name shown, external address used
Requests cite urgency, confidentiality, and inability to make calls
Escalates if initial request refused — second email from spoofed assistant

TI-2026-031

28 Mar 2026

MediumSmishingAll sectors

Royal Mail & DPD Smishing — Redelivery Fee Scam

High-volume SMS phishing campaign impersonating Royal Mail and DPD asking recipients to pay a £1.99 redelivery fee. Links lead to cloned courier websites collecting card details and personal information. Over 40,000 UK numbers targeted in March alone.

Indicators of compromise

SMS sender IDs: RoyalMail, DPD-UK (both spoofed)
Short URLs resolving to: royalmail-redelivery.com, dpd-reschedule.co
Payment page collects full card details including CVV and billing address

TI-2026-028

21 Mar 2026

MediumCredential HarvestingEducationHealthcareLocal Government

IT Helpdesk Impersonation — Password Reset Wave

Targeted campaign impersonating internal IT helpdesks with personalised emails referencing the recipient's actual organisation name. Emails request password resets via a fake self-service portal. Particularly active against NHS trusts, councils, and universities.

Indicators of compromise

Sender pattern: helpdesk@[orgname]-itsupport.co.uk
Email includes recipient's name and organisation sourced from public directories
Fake portal collects current password before displaying a 'reset successful' confirmation

Authoritative sources

NCSC

National Cyber Security Centre — official UK government cyber guidance and incident alerts.

Krebs on Security

In-depth investigative reporting on cybercrime, breaches, and threat actors.

Bleeping Computer

Breaking cybersecurity news, malware analysis, and ransomware tracking.

Protect your organisation

Test your team before
attackers do

Run simulations based on the exact attack patterns listed above. See who clicks, who reports, and where your human risk is highest — before a real attacker finds out.

Start free Read the docs →

Threat Intelligence

Active threats targeting
UK organisations

Curated analysis of live phishing campaigns, attack techniques, and indicators of compromise. Updated by the PhishShield research team. No customer data is used in this feed.

1 critical advisories active

Last updated 19 Apr 2026

April 2026

Attack vector breakdown

Credential Harvesting

41%

O365, Google, banking and HR portal spoofs

Business Email Compromise

24%

CEO fraud, invoice redirection, supplier impersonation

Malware / Ransomware

16%

Malicious attachments and drive-by downloads

MFA Bypass (AiTM)

11%

Session hijacking via reverse proxy infrastructure

Smishing / Vishing

SMS lures and voice-based social engineering

Source: PhishShield platform intelligence & NCSC Q1 2026 report. Aggregated and fully anonymised.

Advisories

Live threat feed

TI-2026-041

19 Apr 2026

CriticalCredential HarvestingAll sectorsSMB

HMRC Self-Assessment Deadline Phishing Surge

Indicators of compromise

Sender domains: hmrc-refund-gov.co, tax-rebate-uk.com, hmrc-alert.net
Subject lines: 'HMRC: Tax refund available — claim now', 'Urgent: Unpaid tax balance'
Links redirect through bit.ly before landing on credential page

TI-2026-039

15 Apr 2026

HighMFA Bypass / AiTMFinanceLegalProfessional Services

Microsoft 365 MFA Fatigue — Adversary-in-the-Middle

Indicators of compromise

Sender domains mimicking IT helpdesk: it-support-[company].com
Proxy infrastructure hosted on bulletproof providers in Eastern Europe
Post-compromise: immediate inbox rules created to forward and delete inbound emails

TI-2026-037

11 Apr 2026

HighCredential HarvestingPropertyLegalFinanceHR

DocuSign Brand Abuse — Fake Contract Requests

Indicators of compromise

Sender: [email protected] (not @docusign.com or @docusign.net)
Subject: '[Company Name] has sent you a document to review and sign'
Landing page URL pattern: docusign-[random].pages.dev

TI-2026-034

4 Apr 2026

HighBusiness Email CompromiseAll sectors

CEO Gift Card Fraud Targeting Finance Teams

Indicators of compromise

Display name spoofing — CEO name shown, external address used
Requests cite urgency, confidentiality, and inability to make calls
Escalates if initial request refused — second email from spoofed assistant

TI-2026-031

28 Mar 2026

MediumSmishingAll sectors

Royal Mail & DPD Smishing — Redelivery Fee Scam

Indicators of compromise

SMS sender IDs: RoyalMail, DPD-UK (both spoofed)
Short URLs resolving to: royalmail-redelivery.com, dpd-reschedule.co
Payment page collects full card details including CVV and billing address

TI-2026-028

21 Mar 2026

MediumCredential HarvestingEducationHealthcareLocal Government

IT Helpdesk Impersonation — Password Reset Wave

Indicators of compromise

Sender pattern: helpdesk@[orgname]-itsupport.co.uk
Email includes recipient's name and organisation sourced from public directories
Fake portal collects current password before displaying a 'reset successful' confirmation

Authoritative sources

NCSC

National Cyber Security Centre — official UK government cyber guidance and incident alerts.

Krebs on Security

In-depth investigative reporting on cybercrime, breaches, and threat actors.

Bleeping Computer

Breaking cybersecurity news, malware analysis, and ransomware tracking.

Protect your organisation

Test your team before
attackers do

Run simulations based on the exact attack patterns listed above. See who clicks, who reports, and where your human risk is highest — before a real attacker finds out.

Start free Read the docs →

Active threats targetingUK organisations

Attack vector breakdown

Live threat feed

HMRC Self-Assessment Deadline Phishing Surge

Microsoft 365 MFA Fatigue — Adversary-in-the-Middle

DocuSign Brand Abuse — Fake Contract Requests

CEO Gift Card Fraud Targeting Finance Teams

Royal Mail & DPD Smishing — Redelivery Fee Scam

IT Helpdesk Impersonation — Password Reset Wave

Authoritative sources

Test your team beforeattackers do

Active threats targetingUK organisations

Attack vector breakdown

Live threat feed

HMRC Self-Assessment Deadline Phishing Surge

Microsoft 365 MFA Fatigue — Adversary-in-the-Middle

DocuSign Brand Abuse — Fake Contract Requests

CEO Gift Card Fraud Targeting Finance Teams

Royal Mail & DPD Smishing — Redelivery Fee Scam

IT Helpdesk Impersonation — Password Reset Wave

Authoritative sources

Test your team beforeattackers do

Active threats targeting
UK organisations

Test your team before
attackers do

Active threats targeting
UK organisations

Test your team before
attackers do