What Happens When Cybercriminals Compromise a Sportswear Giant?

Lead analysts: Louis Tiley, Lucy Gee and James Dyer

Between 1:48pm ET on October 29 and 6:53pm ET on October 30, 2025, KnowBe4 threat analysts observed a high volume of phishing emails detected by KnowBe4 Defend that were sent from the legitimate domain of one of the world’s largest sportswear brands.

The phishing campaign showed how quickly attackers can leverage a compromised business email account to send further phishing emails in the hope of finding more victims. With phishing kits, templates and AI at their disposal, attackers have demonstrated how easy it is to develop and spread large phishing campaigns that use polymorphic elements to not only deceive the recipient but also slip past traditional email defenses. This campaign used a wide variety of social engineering tactics, particularly impersonation, to manipulate its targets, as well as constantly changing the payload itself to bypass signature-based detection. 

This example naturally stands out as it’s sent from the compromised (legitimate) domain of one of the world’s largest sportswear brands. While typically they might have more robust defenses in place, these large household names are attractive targets for cybercriminals. Compromising the domain belonging to one of these brands enables attackers to:

• Move laterally within the organization to compromise other systems and data, with potentially lucrative outcomes
• Extend their reach by using the compromised account to send further phishing attacks, socially engineering victims by leveraging the brand’s authority and using their domain to bypass some security measures
• Continue to impersonate the compromised brand even after the incident has ended, using tactics like domain spoofing

As seen in the spate of high-profile attacks against large retailers conducted by Scattered Spider and affiliated gangs, these attacks can be costly for the organization that’s been compromised and lead to impersonation campaigns lasting weeks or, even, months. (You can read more about this in our Phishing Threat Trends Report.)

Phishing Attack Summary

Vector and type: Email phishing

Authentication protocols bypassed: SPF, DKIM, and DMARC

Bypassed SEG detection: Yes

Primary techniques: Business email compromise, impersonation, polymorphic content and payloads

Targets: Global organizations (based in 80 different countries)

Attacks were sent between 1:48pm ET on October 29 and 6:53pm ET on October 30, 2025 (when the brand likely regained control of the compromised account). The campaign demonstrated a high level of sophistication and coordination through the use of region-specific targeting and a variety of attack methods and payload delivery mechanisms.

Interestingly, while cybercriminals leveraged the compromised domain to bypass some email security measures, to date none of the phishing emails analyzed as part of this campaign impersonated the sportswear brand itself. 

How Cybercriminals Leverage a Compromised Domain

We don’t know when or how the domain at the sportswear brand was compromised, however it’s fairly safe to assume that the subsequent attacks started quickly once it had happened. At this point in an attack, cybercriminals are aware that time is likely working against them until the organization’s cybersecurity team has been alerted to the compromise and manages to block an attacker’s access. 

As the clock ticked, the cybercriminal(s) running this attack got to work. The attack ran over two consecutive days (October 29 and 30), with our analysts observing the largest spike of emails—955—sent on October 29, 2025. As noted, these didn’t impersonate the compromised sportswear brand but instead focused on targeting other organizations, such as UK Immigration and Microsoft. 

Sender display names and ‘From’ addresses observed in this campaign included:

• UK VISA An& Immigration
• eSc@n_@[40 Digit Hexadecimal Code]
• [Customer name]
• HelpSystem.Server
• SignRequests

Subject lines included:

• Important: Bid  [Customer Name] REF:[40 digit Hexadecimal Code]
• ***System Maintenance:***-Password Authentication Expire Today ID:[10 Digit Code]
• AW: [Customer Name] Payment Advice – Ref: [6 Digit Code]-[32 digit Hexadecimal Code]/[Date]
• Review: Sponsorship Management Ref:[40 digit Hexadecimal Code]
• Don’t Forget to Review & Sign: Distribution ETF Document – [Recipient Name] – [Date]
• Complete the EFT/Remittance Document Now – [Customer Name]
• Ready for Your Signature! Review the Distribution ETF Document Today, [Recipient Name]
• Review   [Customer Name] Ref:[40 digit Hexadecimal Code]
• certificates for [Customer Name] on [Date],[Date].

The emails used polymorphic subject lines and phishing hyperlink payloads, enabling them to more easily bypass the signature-based and reputation-based detection used by secure email gateways (SEGs). Some payloads were obfuscated within attachments, again making them harder to detect by these traditional mechanisms. 

The attacks targeted organizations based in 80 countries globally, with the cybercriminals aligning specific phishing emails with the countries being targeted. For example, emails impersonating the UK Visa and Immigration were sent exclusively to target organizations in the UK.

Phishing email sent from sportswear brand’s domain impersonating UK Visa and Immigration, with KnowBe4 Defend banners visible.

In this example, the email contains a phishing hyperlink payload, which when clicked, directs the target to a credential harvesting website that impersonates UK Visa and Immigration. In fact, the cybercriminals have copied the original HTML code of the official site to their own domain to produce a carbon copy and increase the likelihood that a target won’t notice the difference and will fall victim to the attack. 

Credential harvesting webpage impersonating UK Visa and Immigration.

As with all credential harvesting attacks, the target won’t be able to access the legitimate system by inputting their credentials—instead, their username and password will be sent to the cybercriminals who can potentially use them to access sensitive information, systems or accounts, or sell them on the dark web. In this case, if the target has an account with UK Visa and Immigration, it could provide access to a wealth of personal information.

In another example, the cybercriminals impersonated Microsoft to dupe victims into trying to access a Sharepoint document. 

Phishing email impersonating Microsoft, with KnowBe4 Defend banners visibible.

How To Detect Advanced Phishing Attacks

As mentioned, this campaign displays a number of sophisticated tactics that are designed to bypass SEG detection and socially engineer the targets into taking action. 

By using the compromised brand’s domain to send the attacks, cybercriminals ensured that the phishing emails would bypass authentication mechanisms. Every attack we analyzed got through SPF, DMARC and DKIM. Additionally, by using different sender addresses and adding polymorphic elements to subject lines and payloads, the cybercriminals also made it difficult for signature-based and reputation-based security to detect the attacks. Simply, without blocklisting the sender domain, the changes meant that any additions to the definitions library would become quickly outdated. 

Finally, by using regional targeting when impersonating other brands, including on the credential harvesting pages, the cybercriminals hoped to socially engineer their victims into sharing their credentials. 

Increasingly, attacks are engineered to bypass SEGs. They’re perceived as the “first hurdle” for phishing email delivery and, as such, it’s simply the cost of doing business for cybercriminals to get through them. 

It’s therefore crucial that organizations implement another layer of defense using an integrated cloud email security (ICES) product, such as KnowBe4 Defend. It’s important that the chosen product takes a zero-trust approach to inbound detection, meaning every email is holistically analyzed regardless of whether it’s sent from a legitimate domain or not. ICES products also use AI-powered detection mechanisms such as natural language processing (NLP) and natural language understanding (NLU) to detect the linguistic identifiers of phishing, such as unusual requests and pressure tactics. Finally, leveraging real-time nudges, such as context-aware banners, can help recipients to better understand the attacks they’re being targeted by and increase their ongoing awareness of phishing. 

As phishing emails increase in sophistication in the evolving threat landscape, it’s never been more important for organizations to layer their email security to keep their people, customers, data and systems safe.