Phishing Attack via Lookalike Subdomain and Malicious PDF: Credential Harvesting Campaign Targeting Vendor Relationships
January 12, 2026
Observation
One organization received multiple phishing emails from a familiar vendor domain (excelmach[.]com). The incident came to light when one user reported such an email as phishing. Upon investigation, it was discovered that the emails contained URLs leading to a credential-harvesting site hosted on a lookalike subdomain of webflow[.]io—a platform commonly exploited for phishing activities.
The attacker utilized a compromised vendor account and crafted a deceptive subdomain to mimic legitimate business communication, thereby evading standard detection methods.
Detailed Breakdown: How the Phishing Attack Worked
- excelmach[.]com is a legitimate domain, and the client has regular business with this vendor.
- One user reported an email as phishing. Investigation showed the email contained two URLs:
- excelmach[.]com (legitimate)
- excel-machinery.webflow[.]io (malicious)
- The subdomain excel-machinery.webflow[.]io redirects to a credential-harvesting page hosted on 20eei9.sfo3.cdn[.]digitaloceanspaces[.]com.
- The email originated from a compromised vendor account, and this sender was observed for the first time.
- The attacker created a lookalike subdomain and embedded the malicious URL in a PDF attachment.
| Entities | Indicators | Description |
| URL Domain | excel-machinery.webflow[.]io | Lookalike domain |
| Hosted Domain | 20eei9.sfo3.cdn[.]digitaloceanspaces[.]com. | Credential harvesting site |
| Sender | pgreen[@]excelmach[.]com | Compromised Vendor account |
Why This Phishing Attack Matters
- Interaction with the phishing link or the attachment could allow attackers to steal recipients credential, leading to unauthorized access or data theft.
- Forwarded emails increase the risk of other account compromise.
- This undermines trust in vendor relationships and introduces supply chain risk.
Recommendations: What Organizations Should Do
- Verified interaction (no URL clicks and outbound connections to the malicious domain).
- Notify the vendor immediately about the compromise and share relevant IOCs.
- Continuously monitor vendor emails and set alerts for any messages containing known IOCs or suspicious indicators.
- Reported and soft-deleted emails from the compromised sender.
- Blocked the malicious URL and attachment.
- Added excel-machinery.webflow[.]io to IOC list.
Organizations managing similar threats can reduce exposure through proactive cybersecurity services that combine threat intelligence, SOC monitoring, and human expertise.
