Skip to main content

PhishEye Blog

Threat research, takedown playbooks, and the operator’s view

Field notes on phishing detection, typosquat enforcement, search-threat strategy, and the takedown metrics that actually reduce customer harm — not vanity dashboards.

Recent research

SharePoint Phishing on Cloudflare Workers — PhishEye blog cover illustration

Research · · 12 min read

SharePoint Phishing on Cloudflare Workers

A live SharePoint credential-phishing chain on free Cloudflare infrastructure: a fronted lure and fake-CAPTCHA redirect into a cloaked workers.dev loader, tracked across 5+ auto-provisioned Workers accounts.

Read more
Cloudflare Drop: Instant Hosting, Phishing Risk — PhishEye blog cover illustration

Research · · 13 min read

Cloudflare Drop: Instant Hosting, Phishing Risk

Cloudflare Drop deploys a static site to a workers.dev URL in seconds with no account. We weigh the phishing-abuse risk, compare it with other free static hosts, and show why Cloudflare's own abuse-report API blocks the takedown teams fighting back.

Read more
IronToll: Global Government-Impersonation PhaaS — PhishEye blog cover illustration

Research · · 16 min read

IronToll: Global Government-Impersonation PhaaS

One live phishing URL unrolled IronToll: a 90+ domain, multi-country phishing-as-a-service campaign built on the Chinese Iron Man kit, stealing credentials and live SMS OTPs. Full IOCs, C2 IPs, and the hunting method.

Read more

Latest posts

Social Media & Fake App Brand Protection — PhishEye blog cover illustration

Cybersecurity · · 8 min read

Social Media & Fake App Brand Protection

Defend the two channels most brand-protection programs under-serve: social media impersonation and fake mobile apps — detection, per-platform takedowns, and how to choose a platform.

Read more
PCI DSS Phishing Requirements (2026 Checklist) — PhishEye blog cover illustration

Cybersecurity · · 11 min read

PCI DSS Phishing Requirements (2026 Checklist)

PCI DSS v4.0 turned anti-phishing into a technical control. A pre-audit checklist mapping Requirements 5.4.1, 8.4.2 and 12.6 to DMARC, MFA, simulations and audit evidence.

Read more
ClickFix 2026: Fake CAPTCHA Hides C2 On-Chain — PhishEye blog cover illustration

Research · · 15 min read

ClickFix 2026: Fake CAPTCHA Hides C2 On-Chain

A live ClickFix campaign poisons your clipboard via a fake CAPTCHA and hides its C2 on the Polygon blockchain (EtherHiding) to defeat takedowns. Full chain, 97-domain IOC feed, defenses.

Read more
Automate Phishing URL Reporting via APIs (2026) — PhishEye blog cover illustration

Cybersecurity · · 11 min read

Automate Phishing URL Reporting via APIs (2026)

Build a phishing-reporting pipeline with APIs: validate a URL, submit to Safe Browsing and urlscan, find host and registrar abuse contacts via RDAP, and escalate.

Read more
PrizeBuzz: The .buzz Prize-Scam Phishing Network — PhishEye blog cover illustration

Research · · 10 min read

PrizeBuzz: The .buzz Prize-Scam Phishing Network

PrizeBuzz runs one fake-prize-survey kit across 318 .buzz domains, cloning OMT, Coca-Cola, Vodafone and ~26 more brands over WhatsApp behind Cloudflare. IoCs inside.

Read more
ClickFix Drops Atomic Stealer via Fake DirBuster — PhishEye blog cover illustration

Research · · 10 min read

ClickFix Drops Atomic Stealer via Fake DirBuster

A fake DirBuster 'GitHub' page weaponized ClickFix clipboard hijacking to run a base64/zsh one-liner that installs Atomic Stealer (AMOS) on macOS — no exploit, just copy-and-paste. Analysis, IoCs, and defenses.

Read more

Stay close to the research

Subscribe to the RSS feed for new posts, or get in touch with the team behind the investigations.