Fake HashiCorp Vault / Terraform Cloud infrastructure and secrets management subscription payment failed, licenses no longer active, workspace access suspended, or infrastructure access disabled phishing

Phishing emails impersonating HashiCorp or Terraform Cloud claiming the infrastructure and secrets management subscription payment has failed, licenses are no longer active, workspace access is suspended, or Vault/Terraform Cloud access is disabled — directing victims to update billing through a credential-harvesting portal. A distinct attack category targeting the infrastructure-as-code and secrets management layer that underlies every cloud deployment: HashiCorp Terraform Cloud is the dominant managed IaC platform for provisioning cloud infrastructure, and HashiCorp Vault is the industry-standard secrets management and PKI platform for enterprise security teams. Key facts: (1) HashiCorp (acquired by IBM for $6.4B in 2024) serves 3,500+ paying enterprise customers with Terraform Cloud ($20/user/month Business, $70/user/month Plus) and Vault Enterprise ($30,000-$1,000,000+/year) — Terraform Cloud manages the remote state and collaborative infrastructure workflows for organizations running infrastructure across AWS, Azure, GCP, and on-premises; a 'Terraform Cloud workspace access suspended' email implies that all infrastructure provisioning pipelines are halted and the Terraform state files (which describe every cloud resource in the organization) are inaccessible; (2) The workspace suspension hook targets a specific DevOps workflow pain point: Terraform Cloud workspaces are tied to VCS branches (GitHub, GitLab); a workspace suspension means pull requests that trigger infrastructure planning stop working, breaking the GitOps workflow that modern DevOps teams depend on; (3) HashiCorp Vault stores the most sensitive credentials in every organization: database passwords, cloud provider credentials (AWS IAM keys, Azure service principal secrets), TLS certificates, SSH signing keys, and API tokens for every third-party service — a Vault license suspension creates a Tier 0 incident because every service that dynamically fetches secrets from Vault immediately loses access; (4) Terraform state files exposed through a credential compromise reveal the complete cloud infrastructure topology: every AWS account, every VPC, every database, every IAM role, every Kubernetes cluster, every load balancer, and their relationships — essentially a complete blueprint for lateral movement through the cloud environment. Warning signs: sender not hashicorp.com or terraform.io; genuine HashiCorp billing at app.terraform.io/app/settings/billing.