Fake CISA Known Exploited Vulnerabilities (KEV) catalog mandatory patch directive from non-official sender targeting IT/security staff — impersonates CISA BOD 22-01 with "patch within X days or face non-compliance penalty / federal mandate" urgency to harvest credentials or deploy malware

Fake CISA Known Exploited Vulnerabilities (KEV) catalog mandatory patch compliance directive from a non-official sender, targeting IT and security staff. CISA's BOD 22-01 (Binding Operational Directive) requires US federal agencies to remediate KEV catalog entries on a fixed timeline. Attackers impersonate CISA or US-CERT with fake "mandatory patch deadline" emails — "your systems are listed in the CISA KEV catalog — patch within 14 days or face non-compliance penalties under federal mandate." The goal is credential harvest (fake CISA portal login), malware delivery (malicious patch link), or intelligence gathering. Legitimate CISA advisories are published on cisa.gov and never arrive as unsolicited emails demanding credentials or immediate patch confirmation by reply. The signal fires when: (1) body references CISA, KEV catalog, BOD 22-01, or Binding Operational Directive AND (2) mandatory patch / compliance deadline / non-compliance penalty urgency is present AND (3) sender is NOT cisa.gov, us-cert.gov, dhs.gov, or nist.gov AND (4) no List-Unsubscribe or In-Reply-To. Source: GC1 R15 council #1; CISA advisory on spoofed CISA communications 2024; Mandiant KEV-phishing campaign report Q1 2026.