When trust gets tricked: how cybercriminals use legit tools for phishing

Here’s the uncomfortable truth: Cybercriminals don’t always “hack in” — sometimes, they just use the same tools we do. Lately, we’ve seen a rise in phishing campaigns launched from trusted platforms like Salesforce and DocuSign.

Emails come straight from real addresses (like noreply@salesforce[.]com). They look perfect, complete with buttons like “REVIEW DOCUMENT.” Sometimes they even drop in a QR code for that extra sprinkle of credibility.

The tactic is simple: ride the reputation of a trusted service to sneak past both filters and human suspicion.

One campaign we spotted led users through a fake document—complete with an official looking agreement to use electronic records—a QR code, and finally a convincing (but bogus) Microsoft login page. On mobile, that fake page could easily fool anyone.

Why does this matter? Because if you trust it, you’ll click it. If you’re in a hurry, you’ll click it. If you’re stressed, you’ll click it. And that’s exactly what the attackers are counting on.

Here’s the mindset shift: “Legitimate sender” doesn’t always mean legitimate intent.

If something feels off — wrong context, unexpected urgency, weird extras like QR codes — slow down. Ask for a second opinion before you click. The goal isn’t paranoia. It’s awareness. When you know attackers are hijacking trust itself, you’re less likely to hand it over.

Cybersecurity isn’t about stopping all the bad emails. It’s about spotting the sneaky ones hiding in plain sight.