Fake corporate-IT post-quantum VPN rekey attachment lure — "VPN client must be rekeyed to ML-KEM-768 by Friday — install attached profile" with attached `.mobileconfig` / `.ovpn` / Wireguard config = attacker peer. Sender NOT on the VPN / MDM canonical-allowlist (cisco.com, meraki.com, paloaltonetworks.com, fortinet.com, f5.com, ivanti.com, pulsesecure.net, checkpoint.com, sonicwall.com, wireguard.com, openvpn.net, tailscale.com, zerotier.com, twingate.com, cloudflare.com, zscaler.com, netskope.com, microsoft.com, apple.com, jamf.com, kandji.io, mosyle.com). Real corporate VPN profiles ship through the MDM (Intune, JAMF, Workspace ONE, Kandji) or canonical vendor app, never via inbound email link demanding install of an attached profile. Distinct from `pqc-cert-reissuance-spoof-lure` (CA-cert pretext, R9 batch 2) and `pqc-hndl-extortion-lure` (ransom variant, R9 batch 1) — this signal is specifically the corporate VPN-attachment / PQ KEM rekey pretext. Source: Red-Team R9 multi-agent council S1 (post-quantum specialist).

Fake corporate-IT post-quantum VPN rekey attachment lure targeting corporate VPN-using staff with a request to "install the attached VPN profile to rekey to ML-KEM-768 / Kyber-768 hybrid post-quantum encryption by Friday." Attached `.mobileconfig` (iOS / macOS), `.ovpn` (OpenVPN), Wireguard `.conf`, or IPsec configuration profile = attacker peer endpoint, granting persistent traffic-routing through attacker infrastructure with full traffic-inspection and credential-harvesting capability. NIST FIPS 203 (ML-KEM/Kyber) ratification (Aug 2024) + IETF Hybrid PQ TLS draft progress + Cloudflare X25519MLKEM768 default 2024 + Apple iMessage PQ3 (2024) + Google Workspace PQ-Sigs beta (2025) all drove the corporate "we must migrate VPN to PQ KEM" narrative, lending the spoof immediate credibility. Real corporate VPN profile updates ship through the corporate MDM (Microsoft Intune, JAMF, VMware Workspace ONE, Kandji, Mosyle) or canonical vendor app (Cisco AnyConnect, Palo Alto GlobalProtect, F5 BIG-IP Edge, Pulse Secure / Ivanti, Fortinet FortiClient, Wireguard official, OpenVPN Connect), never via inbound email link with an attached `.mobileconfig` / `.ovpn` / Wireguard config demanding install on a deadline. Sender NOT on the VPN / MDM canonical-allowlist (cisco.com, meraki.com, paloaltonetworks.com, fortinet.com, f5.com, ivanti.com, pulsesecure.net, checkpoint.com, sonicwall.com, wireguard.com, openvpn.net, tailscale.com, zerotier.com, twingate.com, cloudflare.com, zscaler.com, netskope.com, microsoft.com, apple.com, jamf.com, kandji.io, mosyle.com). Distinct from `pqc-cert-reissuance-spoof-lure` (CA-cert pretext, R9 batch 2) and `pqc-hndl-extortion-lure` (ransom variant, R9 batch 1) — this signal is specifically the corporate VPN-attachment / PQ KEM rekey pretext. Fires when body references ML-KEM(-512/768/1024) / Kyber(-512/768/1024) / hybrid PQ / post-quantum / PQC / X25519MLKEM(768) / FIPS 203 / hybrid (kex/handshake/key-exchange) AND VPN (client/profile/config/configuration/session/access/connection) / Wireguard / OpenVPN / AnyConnect / GlobalProtect / mobileconfig / .mobileconfig / .ovpn / .conf / tunnel / IPsec / IKEv2 AND rekey / re-key / install (the/attached/profile/config/configuration) / attached (vpn) (profile/config/configuration/file) / configuration (has been) updated / profile (has been) updated / within N hours-days / 24 hours / 48 hours / by (Friday/Monday/etc/EOD/tomorrow) / terminated / disabled / action required / mandatory urgency. Excludes the canonical VPN / MDM domains. Auto-classified as danger via the `-lure` suffix. Source: Red-Team R9 multi-agent council S1 (post-quantum specialist).