Breaking Down a Real Spear Phishing Attack
A few weeks ago, I was a target of one of the most sophisticated spear phishing campaigns I’ve ever seen. I want to blog about it with hopes of raising awareness—as well as to dig deeper into my passion for cybersecurity. 🤓
What is spear phishing?
Spear phishing is a targeted, highly personalized phishing attempt. Unlike phishing, where bad actors blast a generic message to potential victims (think “we can’t deliver your package; click this link to take action”), spear phishing is much more targeted—and scary.
According to Hoxhunt, phishing campaigns experience a click rate of around 18%. The average click rate for spear phishing? 53%. Why? Because it works.
The spear phishing email
I received the below email from careers[at]spotifyrecruiters[.]com.
![Screenshot of a spear phishing email impersonating Spotify recruiters using the sender address careers[at]spotifyrecruiters[.]com.](/s/spear-phishing-email-screenshot.png)
Screenshot of a spear phishing email impersonating Spotify recruiters using the sender address careers[at]spotifyrecruiters[.]com.
Let me be clear: I’m not actively looking for a job, nor have I recently applied to Spotify. But because this came from “Spotify Recruiters,” curiosity got the best of me.
At first glance, this email looks completely, 100% legitimate—and relevant. My career has always been in content marketing. Whoever sent this email clearly did their research—not just about me, but also about my career goals.
With alarm bells quietly ringing in the back of my head, I decided to respond. I knew it would either be a potential pitch for a job or an opportunity to blog about spear phishing.
With that, I responded:
Screenshot of my email reply to the suspected spear phishing message.
I heard back that following Monday during regular business hours.
Screenshot of phishing email reply received on a Monday during standard business hours.
No typos, no links to click—no obvious red flags at this point.
But all that changes with the next email I received, two days later.
Screenshot of spear phishing email requesting to schedule a job interview.
This is when the alarm bells really started blaring.
Investigating leads to red flags 🚩
Yet again, at first glance, the last email in their cadence looks completely legitimate. Typical “next step” instructions for a job interview, the Spotify logo is front-and-center, and the reply-to email address looks legitimate enough (still careers[at]spotifyrecruiters[.]com).
But this time, they included a link, which catapulted me into investigator mode.
Schedule a call link
In Cybersecurity 101, they teach you to hover over links before clicking them. In doing so, I saw the full URL: jobspot[.]spotifycalendar[.]com. Because I’ve never interviewed with Spotify, this could easily pass as a legitimate link. But to be sure, I popped it into urlscan.io. This was the returned preview.
(Note that on the actual, live page, the headline “Wait, where’s your coffee” is actively typed out in real-time—that’s not a typo.)
Screenshot of urlscan.io preview showing a phishing site designed to mimic the legitimate Spotify Careers page.
If you head over to spotify.com and navigate to their Careers page, here’s where you’ll land:
Screenshot of the official Spotify Careers webpage on spotify.com.
Looks pretty similar, right?
Log in with Facebook
Here’s where things went from kinda sus to holy spear phishing, Batman!
When you click on anything on the spear phishing page—a job, “Locations,” “How We Hire”—you have to log in with Facebook to proceed:
Screenshot of spoofed Spotify Careers phishing page requiring Facebook login to view job listings or site content.
(Note that this is similar to the box that popped up, but not the exact same. I didn’t grab a screenshot in time—more on that later.)
This was the definitive tell for me. Why would I need to log in with Facebook just to see Spotify’s stance on equity and inclusion?
When you authorize this type of log in, at minimum, you’re handing over your public profile info as well as your Facebook ID, email address, and potentially even your friends list. But that’s only common if the log in is legitimate.
Possible attack vector: Credential harvesting
When a threat actor asks you to log in with Facebook, it’s more likely that you’d be brought to a log in page where you’d manually type in your Facebook credentials. You might even be asked for a 2FA code, which you wouldn’t think twice about if you have MFA enabled. (And if you don’t, you should!) In short, this is credential harvesting.
Possible attack vector: Open Authorization attack
But given the sophistication of this spear phishing campaign, I wonder if the attackers actually staged an Open Authorization (OAuth) attack.
An OAuth attack is when a threat actor uses a phony “log in with [platform]” dialog box to get an access token—no password required. But instead of being directed to the platform’s (in this case, Facebook’s) OAuth flow, you stay within the attacker’s ecosystem. So once you authorize the log in, you’re giving the attacker an access token, which can be used to retrieve your personal information via the platform.
The result? Attackers use the token to collect intel about you, build even more targeted phishing and spear phishing campaigns, and potentially even browse your friends list for social engineering purposes. The access token is the gift that keeps on giving.
Age of website
One of my favorite tools is Domain Dossier, a tool where you can take a closer look at domains and IP addresses. I used Domain Dossier to see how long the website spotifycalendar[.]com had been around.
The answer? Not long.
![Screenshot of Domain Dossier results showing newly registered domain spotifycalendar[.]com, used in a spear phishing campaign.](/s/whois-record-for-spoofed-site.png)
Screenshot of Domain Dossier results showing newly registered domain spotifycalendar[.]com, used in a spear phishing campaign.
Now, compare that to the record for the legitimate Spotify website:
Screenshot of Domain Dossier results showing long-standing registration history for the legitimate spotify.com domain.
Bit of an age difference, huh?
Something else that was interesting to look at: There’s clearly a bit of a quality difference between domain registrars.
Here’s the homepage of Spotify’s domain registrar, Abion:
Screenshot of Abion homepage, the official domain registrar for spotify.com.
And then…well…there’s this registrar for the spoofed site:
Screenshot showing use of a lesser-known registrar linked to phishing campaigns.
Why this spear phishing campaign was so convincing
It would be so easy to fall for a spear phishing attack that was this believable. (Seriously, kudos to the hackers involved in this one.) Here’s why this campaign stands out as being highly sophisticated—and easy to fall for.
1. It was a targeted phishing attack that incorporated social engineering
This wasn’t your typical spray-and-pray phishing email. It was tailored—to my name, my role, even my next potential career move. That level of personalization is what makes spear phishing so dangerous. It’s not just, “Hey you, click here”; it’s, “Hey Rachel, this job looks perfect for you.” And that…is scary.
2. It wasn’t an “in-your-face,” obvious attack
There was no sketchy language, no “URGENT!!!” subject line, no countdown clock threatening to self-destruct. They actually took their time, responded during normal business hours, wrote like a real recruiter, and didn’t push me to click on anything right away. The calm tone made it feel credible and trustworthy.
3. It cleverly avoided the usual tell-tale signs of phishing
Remember the days when you could easily spot a phish by its poor grammar, inconsistent punctuation, and in-your-face, obvious typos? Those days are largely gone.
Look at this attack. No typos. No weird formatting. No obviously shady links. The emails were clean, well-written, and came from a domain that looked legit at a glance. If you’re used to spotting phishing attempts by broken English or janky URLs, this one would’ve flown right under the radar.
4. The website was a near-clone of the real Spotify website
Visually, it nailed the look and feel. The branding and layout looked almost identical to the real Spotify Careers page. At a glance, it was Spotify. When a spoof site looks that polished, your brain doesn’t jump to “this is a scam.” It goes, “Huh, maybe this really is the company reaching out.”
How to avoid falling for sophisticated spear phishing attacks
Verify, then trust
If something looks too good to be true—or even just slightly off—don’t click anything. Open a new tab, go directly to the company’s actual website, and see if the information lines up. Got an invitation to interview? Check the company’s careers page. Got a delivery notice? Go to the shipping carrier’s site and plug in your tracking number. Assume the burden of proof is on them.
Reach out to the company to verify
If you're unsure whether something’s legit, don’t reply to the email. Instead, find a trusted contact method and reach out yourself. For example, use LinkedIn to message someone at the company, or email their support team through the official site. In the example I’ve detailed in this blog, I forwarded the email to Spotify’s dedicated phishing team: spoof[at]spotify[.]com.
A quick, “Hey, is this real?” can save you a world of pain.
Use available tools to do some quick research
There are some seriously handy tools out there for sniffing out sketchy stuff. I like urlscan.io for previewing a page without visiting it directly, and Domain Dossier for checking when a domain was registered. If a site pretending to be Spotify was created three weeks ago… that’s a clue. These tools won’t stop the attacks, but they will help you spot them.
Fast-forward to now, and the spoofed site now displays a massive warning for being dangerous. :)
I hope this deep-dive was as fun for you to read as it was for me to write. Stay vigilant out there, folks!
* Special thanks to Nordgaren (@NotNordgaren on X) and Lily Clark from the John Hammond LLC team for their help with this blog!