Supplier Payment Inquiry Used as Phishing Credential Theft Lure

On 9 April 2026, accounts payable staff received phishing emails directing them to https://payment-review-portal.com/vendor, a credential-harvesting site that proxied logins to a legitimate cloud identity provider while recording submitted credentials and MFA; compromised accounts were then used to access shared finance mailboxes, suggesting an operation aimed at payment fraud and business email compromise. Observed indicators include the phishing domain payment-review-portal.com, URL path /vendor, theme of vendor banking change, browser Chrome 123 on Windows, and finance shared folder access.