Fake CA-issuer post-quantum cert reissuance lure — "Your TLS certificate must be reissued to ML-DSA-65 / Dilithium-III before CA/B Forum 2027 deadline" via spoofed Let's Encrypt / DigiCert / Sectigo / Entrust / GlobalSign / SSL.com. Sender NOT on the CA canonical-allowlist (letsencrypt.org, digicert.com, sectigo.com, entrust.com, globalsign.com, ssl.com, identrust.com, godaddy.com, certum.eu, cabforum.org, ietf.org, nist.gov) and NOT under the .gov umbrella. Real CA renewals are ACME-driven or come through the issuer's portal, never via inbound email link demanding cert reissuance under a PQC-migration deadline. Distinct from `pqc-hndl-extortion-lure` (R9 batch 1, ransom variant) and `pqc-certificate-migration-phishing` — this signal specifically targets the cert-reissuance pretext aimed at site operators / DevOps. Niche but high-blast-radius (cert MITM downstream). Source: Red-Team R9 multi-agent council S1 (post-quantum specialist), Lead consensus C1 dissent S1-C.

Fake CA-issuer post-quantum cert reissuance lure targeting site operators / DevOps / IT-admin staff. The phish narrative arrives as: "Per CA/B Forum 2027 post-quantum migration deadline, your TLS certificate must be reissued to ML-DSA-65 / Dilithium-III before the quantum decryption window closes. Click here to begin the cert reissuance process within 7 days or your certificate will be revoked," or "DigiCert / Sectigo / Entrust — your TLS certificate needs upgrade to a post-quantum signature algorithm (ML-DSA / Dilithium / SLH-DSA / SPHINCS+). Submit reissuance request within 14 days or your cert will be revoked under CA/B Forum 2027 deadline." NIST FIPS 203 (ML-KEM/Kyber), FIPS 204 (ML-DSA/Dilithium), FIPS 205 (SLH-DSA/SPHINCS+) ratification (Aug 2024) plus public CA/B Forum guidance on a forthcoming PQ-cert migration timeline plus IETF hybrid PQ TLS draft progress give attackers a real and credible regulatory pretext. Lookalike CA-issuer portals harvest CA-account credentials (post-compromise an attacker can issue lookalike certificates for the victim's domains, enabling silent in-line MITM of every TLS connection until detected) plus DNS / domain-control credentials (the CA challenge-response uses DNS / HTTP-01 / TLS-ALPN-01, so portal compromise can in turn lead to DNS-takeover). Real CA renewals are ACME-driven (automated, no inbound email link) or come through the issuer's portal accessed via the customer's pre-existing credentials, never via inbound email link demanding cert reissuance under a PQC-migration deadline. Distinct from `pqc-hndl-extortion-lure` (R9 batch 1, ransom variant) and `pqc-certificate-migration-phishing` — this signal specifically targets the cert-reissuance pretext aimed at site operators / DevOps. Niche but high-blast-radius (cert MITM downstream → silent decryption of every TLS session). Fires when body references TLS / SSL certificate / Let's Encrypt / DigiCert / Sectigo / Entrust / GlobalSign / CA/B Forum / certificate authority / cert (reissuance/reissue/renewal/upgrade/rotation) AND ML-DSA(-44/65/87) / Dilithium(-II/III/2/3/5) / SLH-DSA / SPHINCS+ / post-quantum / PQC / hybrid PQ / FIPS 203-205 framing AND reissue / reissuance / upgrade / migrate / migrat(e/ion) / deadline / revoke(d) / expir(y/e/es/ed) / within N hours-days / action required urgency. Excludes letsencrypt.org, digicert.com, sectigo.com, entrust.com, globalsign.com, ssl.com, identrust.com, godaddy.com, certum.eu, cabforum.org, ietf.org, nist.gov, csrc.nist.gov, and the broader .gov umbrella. Auto-classified as danger via the `-lure` suffix. Source: Red-Team R9 multi-agent council S1 (post-quantum specialist), Lead consensus C1 + dissent S1-C.