Fake Rapid7 / Wiz cloud security and CSPM platform subscription payment failed, licenses suspended, InsightVM vulnerability scanning disabled, or cloud security posture management access no longer active phishing

Phishing emails impersonating Rapid7 or Wiz claiming the cloud security platform subscription payment has failed, licenses are suspended, InsightVM vulnerability scanning is disabled, or cloud security posture management access is no longer active — directing victims to update billing through a credential-harvesting portal. A distinct attack category targeting the cloud security intelligence layer: Rapid7's Insight platform provides unified vulnerability management (InsightVM), detection and response (InsightIDR), application security (InsightAppSec), and orchestration (InsightConnect); Wiz provides agentless cloud security posture management (CSPM) and cloud workload protection that scans the entire cloud estate without deploying agents. Key facts: (1) Rapid7 serves 10,000+ customers ($20,000-$500,000+/year) as the integrated security platform vendor — InsightVM (formerly Nexpose) is Rapid7's flagship vulnerability management product and one of the three most widely deployed enterprise vulnerability scanners alongside Tenable and Qualys; InsightIDR is Rapid7's SIEM and user behavior analytics platform; a Rapid7 Insight Platform subscription suspension takes offline vulnerability scanning, SIEM, and application security testing simultaneously, creating a compound compliance gap across PCI DSS, SOC 2, and ISO 27001; (2) Wiz serves 4,000+ customers including 40% of the Fortune 100 ($50,000-$5,000,000+/year) as the fastest-growing cloud security company in history — Wiz's agentless architecture means it continuously monitors every cloud resource (VMs, containers, serverless functions, storage buckets, databases) without requiring any agent installation; a Wiz subscription suspension stops the real-time cloud security monitoring that detects misconfigurations, exposed secrets, and lateral movement paths before attackers can exploit them; (3) Wiz's Graph feature creates a specific urgency hook: the Wiz Security Graph maps the complete attack path from internet-exposed entry points through cloud infrastructure to crown jewel data; security teams responsible for cloud compliance use the Wiz Graph to prioritize remediation; a suspension that takes the Wiz Graph offline removes the organization's primary cloud risk prioritization tool; (4) Rapid7's credentials expose both the vulnerability data and the detection infrastructure: InsightVM scan credentials (service account credentials used to authenticate against all servers for credentialed scanning), the complete vulnerability inventory with exploitability scores, InsightIDR detection rules and SIEM integrations showing exactly which attack behaviors are monitored, and the InsightConnect automation playbooks revealing how the security team responds to incidents. Warning signs: sender not rapid7.com or wiz.io; genuine Rapid7 billing at insight.rapid7.com/platform/billing; Wiz billing at app.wiz.io/settings/billing.