Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

When Inclusive Language ends in phishing

0
Medium
Published: 07/16/2026 (07/16/2026, 09:11:30 UTC)
Source: Reddit Cybersecurity

Description

This threat involves a passive phishing campaign that exploits the use of inclusive language in emails by abusing ".es" domain suffixes. Legitimate users include words ending with ".es" as part of inclusive language, but attackers register these domains to redirect victims to fake Microsoft 365 login pages or malicious browser extension installation pages. The campaign is subtle and effective because it targets internal communications and leverages trusted third-party partners, making the malicious links appear legitimate. No specific affected software versions are identified. No known exploits in the wild have been reported.

Reddit Discussion

r/cybersecurity·posted by u/Ribzeek
00

Has anyone observed similar passive phishing campaigns using the following technique ?

During an email risk assessment, I came across a passive phishing campaign that abuses ".es" domains as a form of inclusive language "typosquatting" (Can we really call it typosquatting?).

Examples like "intervenant.es" and "conferencier.es" were written by legitimate, non-malicious users in their emails. They were trying to be inclusive in their communications.

However those urls ultimately redirect to fake M365 login pages or fake browser extension install pages.

https://imgur.com/a/MRhwqIu

This is particularly interesting and effective because it is passive, can target internal communications with less monitoring and can come from trusted third-party partners making the links appear legitimate.

Links cited in this discussion

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/16/2026, 09:17:34 UTC

Technical Analysis

A phishing campaign abuses the use of inclusive language involving words ending with the ".es" domain suffix. Attackers register these domains (e.g., intervenant.es, conferencier.es) to host fake Microsoft 365 login pages or fake browser extension installation pages. This technique leverages legitimate-looking URLs embedded in emails, exploiting the trust in internal communications and third-party partners. The campaign is passive and difficult to detect due to the legitimate appearance of the links and the context of inclusive language usage.

Potential Impact

Users may be tricked into visiting malicious websites that impersonate Microsoft 365 login portals or prompt installation of malicious browser extensions. This can lead to credential theft or compromise of user devices. The threat targets internal communications and trusted third-party emails, increasing the likelihood of successful phishing without raising immediate suspicion.

Mitigation Recommendations

No official patch or fix is applicable as this is a phishing technique rather than a software vulnerability. Organizations should educate users about the risk of clicking on unexpected or unusual links, even if they appear to use inclusive language or come from trusted partners. Email filtering and URL reputation services may help detect and block such malicious domains. Monitoring for suspicious domain registrations related to inclusive language terms could also be beneficial.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Source Type
reddit
Subreddit
cybersecurity
Reddit Score
0
Discussion Level
minimal
Content Source
reddit_link_post
Post Type
link
Domain
null
Newsworthiness Assessment
{"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
Has External Source
true
Trusted Domain
false

Threat ID: 6a58a1a768715ace43bccd30

Added to database: 07/16/2026, 09:17:27 UTC

Last enriched: 07/16/2026, 09:17:34 UTC

Last updated: 07/17/2026, 03:47:25 UTC

Views: 13

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses