Fake compliance questionnaire lure — SOC 2 / ISO 27001 / NIST / HIPAA / PCI DSS questionnaire with credential-harvesting fields targeting vendor-security and compliance teams (2024-2025 Abnormal / GRC threat feeds)
fake-compliance-questionnaire-lure
What this tier means
High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.
How Gorganizer detects this
Fake SOC 2 / ISO 27001 / NIST CSF / HIPAA / PCI DSS / CSA STAR / CIS Controls / HITRUST / FedRAMP / CMMC compliance questionnaire delivered as PDF / DOCX attachment with credential-harvesting fields embedded. Targets vendor-security and compliance teams who expect questionnaire traffic from customers / auditors during procurement cycles — the attacker-crafted questionnaire asks for sensitive access credentials, AWS / Azure / GCP keys, or VPN configuration under the guise of "infrastructure audit evidence." Abnormal Security and GRC-focused threat intelligence feeds documented multiple 2024-2025 campaigns exploiting Q4 annual-renewal seasons when genuine questionnaire volume is high. Fires when the body references a specific compliance framework (SOC 2, ISO 27001/27017/27018, NIST CSF / SP 800, HIPAA, PCI DSS, CSA STAR, CIS Controls, GDPR compliance, HITRUST, FedRAMP, CMMC) AND contains a questionnaire / audit / assessment action (complete / fill out / return the questionnaire / evidence request / compliance review / vendor assessment). Excludes known GRC platforms (Vanta, Drata, Secureframe, TrustCloud, Sprinto, Thoropass, AuditBoard, OneTrust, LogicGate, Hyperproof, Strike, Tugboat Logic, ServiceNow) and official-authority domains (AICPA, ISO, NIST, HHS, PCI Security Standards Council, Center for Internet Security, HITRUST Alliance). Auto-classified as danger via the `-lure` suffix.
False-positive guard
Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.
About the scoring engine
Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.
Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.
Ready to clean your inbox?
Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.
Get started