Internal IT Helpdesk Spoof Used to Steal VPN Credentials

A credential-harvesting phishing campaign on 12 April 2026 targeted remote employees by spoofing helpdesk@internal-vpn-support.com and linking to a fake VPN login (https://vpn-auth-check.com/login) to collect corporate credentials and one-time codes; investigators later observed VPN access from 188.214.128.31 using a legitimate employee's credentials.