Pride Month does not begin until June 1, 2026, but scammers have already begun targeting employees with Pride themed phishing emails, getting ahead of the calendar.
Organisations are being targeted in a phishing campaign that uses Pride Month and diversity messaging to trick employees into handing over login details. According to threat intelligence from Mimecast, attackers are abusing Pride Month and diversity themes to pressure employees into clicking links and handing over credentials, all while hiding behind trusted infrastructure.
Mimecast researchers first identified the activity in mid-December 2026, months before Pride Month, indicating the campaign was planned well in advance. As per the company’s findings shared with Hackread.com today, the UK has been hit harder than many peers.
Mimecast data shows that around 21% of all targeted organisations are UK-based, placing it among the most affected countries alongside the United States. When it comes to targeted sectors, organisations across several industries have targeted, with attackers adjusting their focus over time.
The campaign uses messages designed to look like routine internal communications. They claim Pride themed email branding would be rolled out by management and offer an opt-out option that redirects users to malicious links.
The setup works regardless of personal views. Employees who support diversity initiatives click to read more. Those who oppose them click to opt out. Either way, the attacker gets engagement before the recipient pauses to question the message.
It is worth noting that attackers distribute the malicious emails through compromised SendGrid accounts, using the trusted platform to scale delivery and evade detection. The scam then redirects victims to SendGrid lookalike pages designed for credential theft.
Two-Stage Activity
The activity appeared in two stages. The first, in December 2025, targeted 504 organisations, mostly in financial services and consulting. It looked like a testing phase. The second wave in January 2026 escalated sharply, expanding to 4,768 organisations across the US, UK, Germany, Australia, South Africa, Canada, and other regions. Industry focus broadened to include IT, SaaS, and retail, while financial services remained a priority.
January messages, however, showed scammers improving their overall messages. Subject lines began using persona-based prefixes, suggesting impersonation of specific individuals to boost credibility and bypass filtering. Victims were routed through CAPTCHA pages before landing on credential harvesting sites, a tactic commonly used to evade automated detection.
While it is unclear which threat actor group is behind this campaign, the techniques line up with activity linked to Scattered Spider, CryptoChameleon, and PoisonSeed. Mimecast researchers also pointed to a growing pattern of attackers targeting email and CRM platforms such as SendGrid, Mailchimp, and HubSpot, which, once compromised, become platforms for phishing, spam, and further credential harvesting.
Mimecast says it has deployed detection capabilities to identify campaigns abusing legitimate email services and continues to track new domain variants linked to this activity.
Nevertheless, technology alone is unlikely to stop similar attacks. User awareness remains a critical. Employees should treat unexpected policy updates with caution, especially when they arrive via external links. Verifying such messages through HR or IT teams can be the difference between a blocked attempt and a full account compromise.
Waqas
