The Top Phishing Lures Targeting Manufacturers Revealed by Trustwave SpiderLabs

• As detailed in the 2025 Trustwave Risk Radar Report, cybercriminals are increasingly targeting the manufacturing sector with sophisticated phishing tactics, exploiting both human behavior and trusted platforms.
• Trustwave SpiderLabs researchers uncover the most prevalent phishing lures—file-sharing notifications, HR documents, fake payment receipts, and more—used to deceive employees and compromise organizations.
• Learn how Trustwave MailMarshal’s multi-layered defense provides protection beyond the common secure email gateway and helps detect and block over 99.99% of email-based threats before they ever reach your inbox.

Threat actors who rely on email phishing scams as their primary method of gaining initial entry use a wide variety of social engineering lures to trick their victims.

Trustwave SpiderLabs recently released the report Manufacturing Sector Deep Dive: Methods of Targeting and Breaching, which specifically calls out many noteworthy campaigns and methodologies used by the top-tier threat groups. The general concept behind all these attacks, and phishing attempts in general, is to present the victim with an email they will find interesting, common place, or sometimes necessary to do their jobs.

The research, which was a supplemental report to the other recently released 2025 Trustwave Risk Radar Report: Manufacturing Sector, our research team details multiple distinct attacks often used by attackers and how organizations can protect themselves.

File-Sharing Phishing Attacks

These campaigns exploit users' inherent trust in file-sharing services. Attackers craft emails mimicking alerts from internal systems or commonly used external platforms like WeTransfer. A secure email gateway or Trustwave's MailMarshal email security solution is an excellent way to detect and block these attacks.

Fake Printer Notification Email

In this scenario, attackers send an email disguised as a notification from a printer service, claiming a pay stub (a document typically issued by employers on payday) has been shared. Clicking the "VIEW YOUR DOCUMENTS" link directs the user to a page built with Zoho Forms, an online form creation tool.

The attackers exploit a Zoho feature that allows redirection upon form submission (often to a "Thank You" page), sending the victim instead to a fraudulent Microsoft login page associated with the Tycoon Phishing-as-a-Service (PaaS) platform.

Fake Bill of Landing (BOL) Email

Manufacturers frequently handle Bills of Lading (BOLs) – essential legal documents acting as contracts and receipts for shipped goods.

In one attack, the attacker used the sharing service WeTransfer, notifying users of a supposedly shared BOL document. However, the provided link leads to a phishing site masquerading as a secure internal portal designed to harvest user account passwords.

To enhance the deception, this phishing page dynamically displays the target recipient company's logo and may incorporate endpoint information such as the user's OS, browser, timestamp, and geographic location.

Human-Resources-Themed Phishing Attack

Trustwave has noted HR-themed phishing emails are trending, particularly from in late 2024 and continuing into 2025.

Attackers know workers are always interested in any changes at their company that might directly impact them, so a common tactic involves attaching a PDF disguised as a revised employee handbook for the upcoming year.

The PDF's content is crafted to align with the HR subject line and may be cloaked as a document from an e-signature platform like DocuSign, incorporating employee data (username, company name, logo) for realism.

These malicious PDFs often contain a QR code that directs victims to a phishing page utilizing the Mamba phishing kit, another PaaS known for facilitating adversary-in-the-middle (AiTM) attacks.

Payment Confirmation Phishing Attacks

Payment and invoice lures are among the most common themes observed in phishing campaigns that target the manufacturing sector. We must note it's not exclusive to this industry sector; attackers will use it to attack other organizations.

One attack that employs this lure is payment confirmation fraud, where cybercriminals send fake payment receipts or invoices for goods and services that the recipient did not purchase.

Image-Based Phishing Attack

Often, this type of attack originates from a compromised email address. The threat actors embedded the image of a receipt and anchored it to a phishing link.

When the target clicks the fake receipt, the link will direct the user to a phishing page hosted on Glitch or another similar web hosting platform with free plan offerings.

Phishing Attacks Abusing Legitimate E-Signature Platforms 

We have observed multiple phishing campaigns using DocuSign to send phishing messages.

Clicking the link will direct users to a legitimate DocuSign envelope that contains a phishing link. In one case we observed, the threat actor posed as "State of Nevada Procurement Services" and used the DocuSign platform to trick victims into thinking that the malicious document was a legitimate government procurement document.

The link used Bing as a redirector and redirected users to a fake login page associated with the Tycoon 2FA PaaS. Threat actors abused the DocuSign platform to distribute a fake government procurement document that led to a fake login page. Trustwave SpiderLabs has previously observed this tactic with the Rockstar 2FA.

Signature Platform Lure: Adobe Acrobat Sign

These phishing emails take on many forms, but in one case, we observed an email designed to mimic an email notification from Adobe Acrobat Sign.

The sender claimed to share board meeting minutes and schedules from the said platform, but a closer look at the URL revealed /wp-admin/, an indicator that the page is likely hosted on a compromised WordPress site.

This is a common tactic used in phishing attacks to host malicious content. Clicking the link directs users to a credential-harvesting page crafted to resemble the e-signature platform.

How Trustwave MailMarshal Protects Clients

Trustwave MailMarshal is a layered defense solution capable of detecting in excess of 99.99% of all email-based threats. The security solution uses tools such as PhishFilter and URLDeep to maintain the safest possible email environment for our clients.

PhishFilter is a proprietary filter developed and maintained by SpiderLabs Research that adds an additional layer of defense against phishing messages.

URLDeep is a phishing URL classifier and is one of the tools used by PhishFilter to identify suspect URLs within emails. URLDeep is based on Deep Learning techniques and is trained on a huge corpus of previously discovered phishing URLs. This information allows URLDeep to calculate the probability of a URL being phishing-related and then feed this intelligence into the PhishFilter.

Trustwave MailMarshal's Defensive Methodology

MailMarshal runs every inbound email through 11 separate layers to help protect against spam, email-delivered malware, phishing, and BEC attacks on-premise and in the cloud.

The layers are:

• IP ReputationSpamProfiler
• Email Threats
• Advanced Malware and Exploit Detection
• Antivirus Engine
• SpamCensor
• BEC Filter
• PhishFilter+URLDeep
• Suspect URLs
• Sandbox
• Email Policy Settings

Each of the millions of emails that arrive each day in MailMarshal are broken down into their component parts, such as message header, message body, raw HTML, URLs, images, and attachments, which are then examined to find any potential threats.

As MailMarshal processes emails, the system scores each item, and if a certain threshold is reached, the email is flagged or quarantined. This activity all happens in milliseconds and does not slow down email processing. In addition, real-time URL scanning occurs when a user clicks on a link in a delivered email to ensure it is safe.