Fake SOC2 Type II audit evidence-collection lure — "Auditor flagged 23 missing controls — re-upload evidence to portal in 5 business days or qualified opinion" via fake `app.drata.com` / `app.vanta.com` / `app.secureframe.com` lookalikes harvests admin SSO + cloud-IAM (AWS / GCP / Azure) credentials. SOC2 Type II rolling 12-month audit windows + 2025-26 Vanta / Drata / Secureframe / TrustCloud GRC ecosystem give attackers a real and credible compliance pretext — even experienced CISOs can mistake the lookalike for a routine pre-audit evidence-collection reminder. Real SOC2 audit / evidence-collection flows go through the GRC vendor's verified domain (drata.com / vanta.com / secureframe.com / trustcloud.ai / aicpa.org) with In-Reply-To threading from an established auditor engagement, never via inbound email link demanding evidence re-upload within 5 business days under qualified-opinion threat. B2B-CISO / IT-admin scope; SSO-credential-harvest cluster; SACRED `regulatory_filing`-adjacent. Source: GC1 R9 multiagent council P1 (S5 SaaS specialist).

Fake SOC2 Type II audit evidence-collection lure targeting CISOs, IT admins, GRC (Governance / Risk / Compliance) leads, and security-program owners. The phish narrative arrives as: "Auditor flagged 23 missing controls — re-upload evidence to portal in 5 business days or qualified opinion," or "Vanta / Drata / Secureframe Type II audit window — auditor reports 23 missing controls; re-upload evidence within 5 business days or your SOC2 Type II report will receive a qualified opinion." SOC2 Type II rolling 12-month audit windows + 2025-26 Vanta / Drata / Secureframe / TrustCloud GRC ecosystem dominate the SaaS compliance market — most SaaS companies above ~50 employees run continuous SOC2 with one of these GRC vendors, lending the lure narrative immediate credibility (the vendor names, the Type II / audit-window / TSC-control vocabulary, and the qualified-opinion threat are part of every SOC2-program owner's working vocabulary). Lookalike `app.drata.com` / `app.vanta.com` / `app.secureframe.com` portals harvest admin SSO + cloud-IAM (AWS / GCP / Azure) credentials (catastrophic — the GRC vendor by design holds read-only cloud-IAM credentials to attest control state, and post-compromise an attacker pivots from the GRC SSO into the cloud-IAM keys, then into customer data, source code repositories, secrets managers, and production deploy pipelines). Real SOC2 audit / evidence-collection flows go through the GRC vendor's verified domain (drata.com / vanta.com / secureframe.com / trustcloud.ai / aicpa.org) with In-Reply-To threading from an established auditor engagement, never via inbound email link demanding evidence re-upload within 5 business days under qualified-opinion threat. B2B-CISO / IT-admin scope; SSO-credential-harvest cluster; SACRED `regulatory_filing`-adjacent. Fires when body references SOC2 / Trust Services Criteria / TSC / CCx.x control numbers / AICPA / Type I or Type II / audit window-period-opinion / control deficiency-gap / Vanta / Drata / Secureframe / TrustCloud / evidence collection AND contains re-upload / missing / deficient / qualified-opinion / 5 business days / deadline / action-required urgency. Excludes drata.com, vanta.com, secureframe.com, trustcloud.ai, aicpa.org, app.drata.com, app.vanta.com, app.secureframe.com. Auto-classified as danger via the `-spoof` suffix. Source: GC1 R9 multi-agent council P1 (S5 SaaS specialist).