Trusyn Threat Lab

Phishing advisories & trend writeups.

Field notes from the detection pipeline. Patterns we are seeing across customer brands, dispatched in plain English so operations and legal can act on them.

HIGHTRY-2026-042026-04-22

Mobile-only Turkish banking kits gating on geo + UA

A wave of credential-harvesting pages impersonating Turkish retail banks now serves the live phishing UI only to mobile Chrome User-Agents resolving from Turkish IPs; everyone else gets a Cloudflare challenge or an empty page.

Kits are deploying multi-stage gating to defeat reputation scanners. The first hop is a Cloudflare-fronted domain that returns a managed challenge to anything that does not match `Mozilla/5.0 (Linux; Android …) Chrome` with `Accept-Language: tr-TR` and a Turkish residential ASN.

Trusyn's scanner emulates the geo and UA profile and clears the JavaScript challenge in most cases. Sites that additionally enforce ASN-level fences (only TR residential IPs) require a downstream proxy.

Operators should expect that desktop-based abuse-desk reviewers may load the URL and see a clean page or a 1015 block — full-page screenshots are now a mandatory part of the evidence bundle, not an optional extra.

MEDIUMTRY-2026-04-022026-04-09

Typosquat campaigns favoring `.online` and `.live` TLDs

Bulk-registered typosquats for major fintech brands have shifted from `.com`/`.net` to cheaper `.online` and `.live` TLDs where WHOIS proxy services are aggressive and registrars are slower to enforce DNS-abuse policy.

Across Trusyn's CertStream feed in March-April 2026, 41% of new typosquat detections involve `.online`, `.live`, `.shop`, or `.top`. Most come from a small number of registrars; abuse contact discovery via python-whois often returns empty, requiring an RDAP fallback (which we apply).

We are observing that registrars in this category respond materially faster when the abuse mail explicitly cites ICANN RAA §3.18 (5 April 2024) by name and attaches a power of attorney. Trusyn templates do both.

HIGHTRY-2026-032026-03-28

OAuth consent-phishing kits impersonating Microsoft 365

OAuth consent phishing has resurged, with kits hosted on `*.workers.dev` and `*.pages.dev` subdomains harvesting tokens via legitimate-looking app consent prompts.

Because the credential exchange happens at the genuine Microsoft endpoint, traditional URL reputation systems often miss these flows. The actionable signal is the malicious app's redirect URI, not the visible domain.

Trusyn flags any newly-issued certificate matching a customer brand on Cloudflare developer-platform domains as HIGH-confidence regardless of visual similarity, because the deployment pattern itself is anomalous.

Cloudflare's abuse form is the highest-leverage channel here; the registrar path is irrelevant for Workers/Pages subdomains.

MEDIUMTRY-2026-03-022026-03-14

Abuse-desk inbox discipline: Message-IDs as receipts

Multiple registrars and hosting providers now silently drop abuse messages that fail RFC 5322 hygiene checks. Missing or duplicate Message-IDs are the most common culprit.

Operators self-rolling abuse mailers should ensure every message generates a unique RFC 2822 Message-ID, sets `Auto-Submitted: auto-generated`, and uses `Precedence: bulk`. Without these, large providers fast-path the mail into spam triage rather than the abuse queue.

Trusyn includes all of the above plus `X-Trusyn-Incident-ID` headers so reply matching and IMAP-side classification work without natural-language parsing.

LOWTRY-2026-022026-02-19

Smishing via shortened branded URLs in SMS PDU

Carrier SMS abuse tooling continues to ignore links delivered through URL shorteners that appear to belong to the targeted brand (e.g. `bit.ly/<brand>-acc`).

These are not phishing in the strict sense — the shortener is genuine — but the destination is a credential-harvesting page hosted under a typosquat. Operators should treat the destination URL as the IOC, not the shortener.

Trusyn submits the destination to URLScan.io and ThreatFox at detection time so that downstream feeds (browser blockers, secure-email-gateway products) can act on the pattern even before the registrar processes our notice.

Want advisories tailored to your brand's exposure? Customers see all detections in their dashboard with confidence bands and dispatched-report status. Get in touch to start onboarding.