When Inclusive Language ends in phishing
This threat involves a passive phishing campaign that exploits the use of inclusive language in emails by abusing ".es" domain suffixes. Legitimate users include words ending with ".es" as part of inclusive language, but attackers register these domains to redirect victims to fake Microsoft 365 login pages or malicious browser extension installation pages. The campaign is subtle and effective because it targets internal communications and leverages trusted third-party partners, making the malicious links appear legitimate. No specific affected software versions are identified. No known exploits in the wild have been reported.
AI Analysis
Technical Summary
A phishing campaign abuses the use of inclusive language involving words ending with the ".es" domain suffix. Attackers register these domains (e.g., intervenant.es, conferencier.es) to host fake Microsoft 365 login pages or fake browser extension installation pages. This technique leverages legitimate-looking URLs embedded in emails, exploiting the trust in internal communications and third-party partners. The campaign is passive and difficult to detect due to the legitimate appearance of the links and the context of inclusive language usage.
Potential Impact
Users may be tricked into visiting malicious websites that impersonate Microsoft 365 login portals or prompt installation of malicious browser extensions. This can lead to credential theft or compromise of user devices. The threat targets internal communications and trusted third-party emails, increasing the likelihood of successful phishing without raising immediate suspicion.
Mitigation Recommendations
No official patch or fix is applicable as this is a phishing technique rather than a software vulnerability. Organizations should educate users about the risk of clicking on unexpected or unusual links, even if they appear to use inclusive language or come from trusted partners. Email filtering and URL reputation services may help detect and block such malicious domains. Monitoring for suspicious domain registrations related to inclusive language terms could also be beneficial.
When Inclusive Language ends in phishing
Description
This threat involves a passive phishing campaign that exploits the use of inclusive language in emails by abusing ".es" domain suffixes. Legitimate users include words ending with ".es" as part of inclusive language, but attackers register these domains to redirect victims to fake Microsoft 365 login pages or malicious browser extension installation pages. The campaign is subtle and effective because it targets internal communications and leverages trusted third-party partners, making the malicious links appear legitimate. No specific affected software versions are identified. No known exploits in the wild have been reported.
Reddit Discussion
Has anyone observed similar passive phishing campaigns using the following technique ?
During an email risk assessment, I came across a passive phishing campaign that abuses ".es" domains as a form of inclusive language "typosquatting" (Can we really call it typosquatting?).
Examples like "intervenant.es" and "conferencier.es" were written by legitimate, non-malicious users in their emails. They were trying to be inclusive in their communications.
However those urls ultimately redirect to fake M365 login pages or fake browser extension install pages.
This is particularly interesting and effective because it is passive, can target internal communications with less monitoring and can come from trusted third-party partners making the links appear legitimate.
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
A phishing campaign abuses the use of inclusive language involving words ending with the ".es" domain suffix. Attackers register these domains (e.g., intervenant.es, conferencier.es) to host fake Microsoft 365 login pages or fake browser extension installation pages. This technique leverages legitimate-looking URLs embedded in emails, exploiting the trust in internal communications and third-party partners. The campaign is passive and difficult to detect due to the legitimate appearance of the links and the context of inclusive language usage.
Potential Impact
Users may be tricked into visiting malicious websites that impersonate Microsoft 365 login portals or prompt installation of malicious browser extensions. This can lead to credential theft or compromise of user devices. The threat targets internal communications and trusted third-party emails, increasing the likelihood of successful phishing without raising immediate suspicion.
Mitigation Recommendations
No official patch or fix is applicable as this is a phishing technique rather than a software vulnerability. Organizations should educate users about the risk of clicking on unexpected or unusual links, even if they appear to use inclusive language or come from trusted partners. Email filtering and URL reputation services may help detect and block such malicious domains. Monitoring for suspicious domain registrations related to inclusive language terms could also be beneficial.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a58a1a768715ace43bccd30
Added to database: 07/16/2026, 09:17:27 UTC
Last enriched: 07/16/2026, 09:17:34 UTC
Last updated: 07/17/2026, 03:47:25 UTC
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.