Fake Celonis / UiPath process mining and RPA subscription payment failed, platform licenses suspended, robots and automation workflows disabled, or execution management system access no longer active phishing

Phishing emails impersonating Celonis or UiPath claiming the process mining or robotic process automation platform subscription payment has failed, platform licenses are suspended, robots and automation workflows are disabled, or execution management system access is no longer active — directing them to update billing or restore access through a credential-harvesting portal. A distinct attack category targeting the enterprise automation intelligence platforms that operational excellence, finance, and IT teams use to discover, automate, and monitor business processes at scale — suspension simultaneously halts every running automation bot, terminates all active process mining analyses, and disables every operational efficiency dashboard tracking the automation ROI that executives use to justify the platform investment. Key facts: (1) Celonis serves 1,000+ enterprise customers ($200,000-$2,000,000+/year) including Siemens, Vodafone, and Dow as the leading process mining and execution management platform — Celonis sits on top of ERP systems (SAP, Oracle, Salesforce) and extracts event logs to reconstruct and visualize how business processes actually execute vs. how they are designed to execute; a Celonis license suspension disables all active process mining analyses, closes all conformance checking dashboards showing where process deviations are occurring, and halts all Action Engine automations that were triggering corrections in the underlying ERP system; the process mining team loses both their analytical tools and their operational automation layer simultaneously; (2) The 'platform licenses are no longer active' hook targets a specific organizational anxiety about ERP data exposure: Celonis maintains deep read connections into SAP, Oracle, and Salesforce to extract event logs for process mining; the suspension email implies that these connection credentials may be at risk, creating urgency for IT administrators who manage the integration; enterprise IT teams responsible for SAP stability treat any signal about Celonis credential compromise as an ERP security incident requiring immediate response; (3) UiPath serves 10,500+ customers ($15,000-$500,000+/year) including Toyota, T-Mobile, and Deloitte as the leading RPA (robotic process automation) platform — UiPath Automation Cloud hosts the Orchestrator (the central command hub that deploys, schedules, monitors, and controls all attended and unattended robot executions); a UiPath subscription suspension that takes Orchestrator offline stops every unattended robot that runs business-critical processes — the accounts payable bot that processes 500 invoices per day from vendor portals, the HR onboarding bot that provisions accounts in Active Directory and HRIS systems, and the financial reporting bot that extracts data from banking portals and populates the consolidation model all stop simultaneously; (4) The 'robots and automation workflows disabled' hook is uniquely disruptive because automation replaces human labor: unlike CRM or BI tool suspensions where humans can work around the outage using legacy processes, RPA suspension often has no manual fallback because the human headcount that previously performed the work was eliminated after the bots were deployed; the accounts payable team that once had 20 clerks now has 3 supervisors, and a UiPath suspension means 0 invoice processing capacity until the bots are restored; (5) Celonis and UiPath credentials expose the complete business process and automation architecture: every process mining model revealing the actual execution paths of core business processes including order-to-cash, procure-to-pay, and hire-to-retire, the complete automation library showing every bot workflow including login credentials for every system the bots access (banking portals, vendor portals, HRIS systems, ERP modules), the Orchestrator asset vault storing encrypted credentials for every system accessed by RPA robots, and the process deviation data exposing where the organization's operational controls are weakest and where workarounds are most frequent. Warning signs: sender not celonis.com or uipath.com; genuine Celonis billing at login.celonis.com/account/billing; UiPath billing at cloud.uipath.com/settings/billing.