Fake Datadog / New Relic observability and APM platform subscription payment failed, licenses suspended, monitoring and dashboards disabled, or APM access no longer active phishing

Phishing emails impersonating Datadog or New Relic claiming the observability and APM platform subscription payment has failed, licenses are suspended, monitoring and dashboards are disabled, or APM access is no longer active — directing victims to update billing through a credential-harvesting portal. A distinct attack category targeting the observability layer that every engineering team depends on for production health visibility: Datadog is the dominant cloud monitoring platform and New Relic is the leading full-stack observability platform for digital businesses. Key facts: (1) Datadog serves 28,000+ customers ($30,000-$3,000,000+/year) including 26 of the Fortune 100 as the unified cloud monitoring platform covering infrastructure monitoring (hosts, containers, Kubernetes), APM (application performance monitoring with distributed tracing), log management, security monitoring, and synthetic testing — a Datadog 'licenses no longer active' email implies that all real-time dashboards showing service health, all APM traces showing request latency, all log indexing, and all alerting/paging integrations are simultaneously offline; for engineering teams with 24/7 on-call rotations, losing Datadog means the on-call engineer has no visibility into production during an incident; (2) The 'monitoring disabled' hook creates urgency calibrated to engineering culture: engineering teams that have been paged at 2 AM because Datadog detected a spike immediately recognize 'monitoring access disabled' as a production risk — there is always a recent incident fresh in memory where Datadog caught something that would have been catastrophic if missed; (3) New Relic serves 14,000+ customers ($25,000-$1,500,000+/year) as the full-stack observability platform particularly strong in digital business metrics — New Relic One provides Application Performance Monitoring, Browser monitoring (frontend JavaScript error tracking), Mobile monitoring, Infrastructure monitoring, and New Relic AI for anomaly detection; a New Relic 'APM access suspended' email is credible because New Relic has a well-known licensing model (per-user seats) and organizations frequently manage license counts; (4) Both platforms are deeply integrated into incident response workflows: Datadog and New Relic push alerts to PagerDuty, Opsgenie, Slack, and VictorOps; a platform 'suspension' email timed to arrive when a recent incident has already triggered alerts creates a scenario where the engineer receiving the email is already in incident response mode and is less likely to scrutinize the sender domain carefully; (5) Datadog and New Relic credentials expose the complete service health intelligence architecture: every monitored service and infrastructure resource revealing the complete production topology, all APM trace data showing service dependencies and latency distributions, all alert configurations showing what production thresholds trigger pages, all dashboard configurations showing what KPIs the engineering team considers important, and the API keys used to integrate monitoring with deployment pipelines, incident management platforms, and CI/CD systems. Warning signs: sender not datadoghq.com or newrelic.com; genuine Datadog billing at app.datadoghq.com/billing; New Relic billing at one.newrelic.com/admin-portal/billing.