Fake CFTC + NFA Form CPO-PQR (Commodity Pool Operator quarterly pool reports) / CTA-PR (Commodity Trading Advisor quarterly reports) filing-rejection lure — "EasyFile rejection — re-submit pool risk metrics within 7 days or NFA registration suspended" via fake `easyfile.nfa.futures.org` harvests CPO/CTA principal credentials + AUM (assets under management) data. Q1 due May 15, 2026 post-2024 amendments expanding pool reporting. Targets commodity-pool-operator + commodity-trading-advisor + swap-dealer principals. Real CFTC / NFA filings go through cftc.gov / nfa.futures.org / easyfile.nfa.futures.org / sec.gov portals with NFA-issued credentials, never via inbound email link demanding re-submission of pool-risk metrics under a 7-day suspension threat. B2B-fundmgr scope; quarterly-cycle cluster; SACRED `regulatory_filing` guard. Source: GC1 R9 multiagent council P1 (S1 fin specialist).

Fake CFTC + NFA Form CPO-PQR (Commodity Pool Operator quarterly pool reports) / CTA-PR (Commodity Trading Advisor quarterly reports) filing-rejection lure targeting commodity-pool-operator and commodity-trading-advisor principals + swap dealers + their compliance staff. The phish narrative arrives as: "EasyFile rejection — re-submit pool risk metrics within 7 days or NFA registration suspended," or "CFTC Form CPO-PQR Q1 2026 filing was rejected; re-submit pool risk metrics through EasyFile within 7 business days or your NFA registration will be suspended." Q1 due May 15, 2026 post-2024 amendments expanding pool reporting (the CFTC and NFA jointly amended the Form CPO-PQR / CTA-PR schemas in 2024 to capture additional pool-level risk metrics, AUM by strategy, and counterparty-exposure data; the first quarter under the expanded schema was Q1 2026 due May 15), giving attackers a fresh and credible regulatory pretext. Lookalike `easyfile.nfa.futures.org` / NFA-portal lookalikes harvest CPO/CTA principal credentials (NFA SSO post-compromise gives an attacker the ability to file fraudulent quarterly reports concealing downstream losses, withdraw from the registry, or modify principal-of-record contact information to redirect future regulatory correspondence) plus AUM (assets under management) data and counterparty exposure inputs that downstream phishers can use for whaling. Real CFTC / NFA filings go through cftc.gov / nfa.futures.org / easyfile.nfa.futures.org / sec.gov portals using NFA-issued credentials, never via inbound email link demanding re-submission of pool-risk metrics under a 7-day suspension threat. B2B-fundmgr (commodity pool operator + commodity trading advisor + swap dealer) scope; quarterly-cycle cluster; SACRED `regulatory_filing` guard. Fires when body references CFTC / NFA / CPO-PQR / CTA-PR / EasyFile / commodity pool / managed futures / swap dealer / Form 40 AND contains rejected / re-submit / suspend / deficient / deadline / 7-days-or-7-business-days / action-required urgency. Excludes cftc.gov, nfa.futures.org, easyfile.nfa.futures.org, sec.gov, and the broader .gov umbrella. Auto-classified as danger via the `-spoof` suffix. Source: GC1 R9 multi-agent council P1 (S1 fin specialist).