Using the X/Twitter link shortener (t.co) to hide an AITM credential phishing payload

Sublime's Attack Spotlight series sheds light on the evolving email threat landscape by analyzing real-world attack samples, which include adversary tactics and techniques, as well as detection methods. A notable attack in Q1 2025 utilized Twitter's t[.]co link shortener to disguise a credential phishing payload that impersonated a secure message notification from a "DocuSign-Account" via the edocs[.]com domain, incorporating language from Citrix ShareFile notifications. The email tricked recipients into clicking a link suggesting an encrypted financial message, which redirected them to a phishing page impersonating Adobe and Microsoft for credential harvesting. This attack was detected and prevented by Sublime's AI-powered detection engine, which flagged signals such as brand confusion, lookalike sender domains, link shortenings, and financial urgency—common tactics in LOTS (Living Off Trusted Sites) attacks. Sublime emphasizes the importance of adaptive email security platforms that utilize AI and machine learning to detect subtle discrepancies and protect against obfuscated threats.