Password Reset Notification Used for Identity Platform Credential Theft

Between 9 April 2026 and 12 April 2026, employees at a software company received emails claiming passwords would expire and linking to https://password-reset-verify.com/account, a site that visually mimicked the corporate identity platform and requested usernames, passwords, and MFA. Several accounts were later accessed from Eastern Europe and Southeast Asia and used to retrieve internal documents, indicating a focused credential-harvesting campaign intended to enable cloud account compromise. Observed indicators: domain password-reset-verify.com, path /account, theme "password expiration", and follow-on behavior of internal data access.