#phishing

Phishing infrastructure (URLs, domains, IPs) extracted from public Twitter/X security researchers


#phishing

Phishing infrastructure observed by public Twitter/X researchers

IOCs by window

Today

33

IOCs tagged #phishing

Week

259

IOCs tagged #phishing

Month

1,288

IOCs tagged #phishing

Year

45,609

IOCs tagged #phishing

Counts as of 2026-04-29. Regenerated daily.

About #phishing

  • Definition: social-engineering attack that impersonates a trusted brand, service or individual to steal credentials, deploy malware or commit fraud. Classified by MITRE ATT&CK as T1566 with sub-techniques for spearphishing attachment, link and via-service.
  • Common variants: credential phishing (fake login pages), Business Email Compromise (BEC), smishing (SMS), vishing (voice), QR phishing (quishing), adversary-in-the-middle kits like Evilginx and Tycoon-2FA that bypass legacy MFA.
  • Detection: email header authentication (SPF, DKIM, DMARC), URL reputation, certificate transparency monitoring, content inspection for logo cloning and form-action mismatches, and user-reported phish boxes. Phishing-resistant MFA (FIDO2/WebAuthn) is the most effective preventative control.
  • References: MITRE ATT&CK T1566 · CISA Phishing · phishunt.io (sister project, real-time phishing detection).

Recent IOCs tagged #phishing

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/phishing.

Date Type Value Source
Apr 29, 15:10 domain e-eslectronic.jp @harugasumi
Apr 29, 15:10 url https://e-eslectronic.jp/e/Ticket/plus/etC6Fsh5 @harugasumi
Apr 29, 14:14 ip 163.61.188.2 @mugu_reporter
Apr 29, 12:08 domain u.to @PhishStats
Apr 29, 12:08 url https://u.to/FMrdIA @PhishStats
Apr 29, 12:08 ip 186.2.165.57 @PhishStats
Apr 29, 11:58 domain [email protected] @Erreklamatu
Apr 29, 11:58 url https://[email protected] @Erreklamatu
Apr 29, 09:24 domain e-stat.dcrj1bfm.shop @harugasumi
Apr 29, 09:24 url https://e-stat.dcrj1bfm.shop @harugasumi

Related tags

Tags that frequently co-occur with #phishing.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is phishing?

Phishing is a social-engineering attack in which an adversary impersonates a trusted brand, service or individual to trick the target into revealing credentials, deploying malware or transferring funds. The MITRE ATT&CK framework classifies it under T1566 (Phishing) with sub-techniques for spearphishing attachment (T1566.001), spearphishing link (T1566.002) and spearphishing via service (T1566.003). Common delivery vectors are email, SMS (smishing), instant message and voice (vishing).

What kind of IOCs are tagged #phishing on TweetFeed?

URLs, domains and IPs hosting phishing kits or fake login pages, observed by public Twitter/X researchers. Hashes are rare for phishing because the payload is usually a hosted webpage, not a binary. Adjacent tags include #scam (financial scam infrastructure), #opendir (open directories that host phishing kits) and brand-specific tags when researchers attribute the kit to a known impersonation campaign.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Phishing-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Phishing subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Phishing IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).