#phishing

Phishing infrastructure (URLs, domains, IPs) extracted from public Twitter/X security researchers

Subscribe (RSS)

#phishing

Phishing infrastructure observed by public Twitter/X researchers

Subscribe (RSS)

IOCs by window

Today

IOCs tagged #phishing

Week

948

IOCs tagged #phishing

Month

3,028

IOCs tagged #phishing

Year

44,314

IOCs tagged #phishing

Counts as of 2026-05-20. Regenerated daily.

About #phishing

Definition: social-engineering attack that impersonates a trusted brand, service or individual to steal credentials, deploy malware or commit fraud. Classified by MITRE ATT&CK as T1566 with sub-techniques for spearphishing attachment, link and via-service.
Common variants: credential phishing (fake login pages), Business Email Compromise (BEC), smishing (SMS), vishing (voice), QR phishing (quishing), adversary-in-the-middle kits like Evilginx and Tycoon-2FA that bypass legacy MFA.
Detection: email header authentication (SPF, DKIM, DMARC), URL reputation, certificate transparency monitoring, content inspection for logo cloning and form-action mismatches, and user-reported phish boxes. Phishing-resistant MFA (FIDO2/WebAuthn) is the most effective preventative control.
References: MITRE ATT&CK T1566 · CISA Phishing · phishunt.io (sister project, real-time phishing detection).

Recent IOCs tagged #phishing

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/phishing.

Date	Type	Value	Source
May 16, 20:13	domain	agenziaentrate.grillwestfrentes.com.ar	@Slvlombardo
May 16, 20:13	url	https://agenziaentrate.grillwestfrentes.com.ar/rimborso/it/	@Slvlombardo
May 16, 12:08	domain	dpdlocorn.cyou	@PhishStats
May 16, 12:08	url	https://www.dpdlocorn.cyou/com	@PhishStats
May 16, 12:08	ip	43.133.55.35	@PhishStats
May 16, 11:23	domain	info-thorchain.org	@skocherhan
May 16, 11:23	url	http://info-thorchain.org	@skocherhan
May 16, 11:22	domain	revoke-thorchain.org	@skocherhan
May 16, 11:22	url	http://revoke-thorchain.org	@skocherhan
May 16, 10:20	domain	mem.calcuttaswimmingclub.com	@AddressIntel

Related tags

Tags that frequently co-occur with #phishing.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is phishing?

Phishing is a social-engineering attack in which an adversary impersonates a trusted brand, service or individual to trick the target into revealing credentials, deploying malware or transferring funds. The MITRE ATT&CK framework classifies it under T1566 (Phishing) with sub-techniques for spearphishing attachment (T1566.001), spearphishing link (T1566.002) and spearphishing via service (T1566.003). Common delivery vectors are email, SMS (smishing), instant message and voice (vishing).

What kind of IOCs are tagged #phishing on TweetFeed?

URLs, domains and IPs hosting phishing kits or fake login pages, observed by public Twitter/X researchers. Hashes are rare for phishing because the payload is usually a hosted webpage, not a binary. Adjacent tags include #scam (financial scam infrastructure), #opendir (open directories that host phishing kits) and brand-specific tags when researchers attribute the kit to a known impersonation campaign.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Phishing-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Phishing subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Phishing IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).