Lowe's "Kobalt Tool Set" Prize Phishing Scam

Spoofed Lowe's <offers@lowes.com> campaign promising a free tool giveaway

Published April 17, 2026 | By the OpenEFA Security Team

Phishing Brand Impersonation High Severity ✓ Actively Blocked by OpenEFA

Overview

An active phishing campaign is impersonating Lowe's Home Improvement with emails promising a free Kobalt Tool Set, Gorilla Carts, or Kobalt Garden Tool Set giveaway. Messages arrive with the spoofed display name Lowe's and envelope address offers@lowes.com — but they are not from Lowe's.

OpenEFA has observed this campaign continuously since March 20, 2026, with dozens of attempts per week aimed at our customer base. All messages originate from infrastructure in the United Kingdom and fail SPF, DKIM, and DMARC — the legitimate lowes.com domain would pass all three.

If you see one of these in your quarantine, do not release it. The email score averages 93+ on OpenEFA's spam scale (well above the quarantine threshold). Releasing it trains the filter in the wrong direction and exposes you to the scam.

Known Campaign Variants

Variant A: Kobalt Tool Set Giveaway (Primary)

By far the most prevalent variant. Subject line announces the recipient has been "selected" for a free Kobalt Tool Set — Kobalt is Lowe's private-label tool brand, so the brand association is plausible on its face. The message body offers a time-limited claim link leading to a credential-harvesting or payment-capture landing page.

Typical subject: 🎉 Congratulations! You've been selected for a Kobalt Tool Set

Variant B: Gorilla Carts Giveaway

A rotation variant using the Gorilla Carts brand (utility carts commonly sold at Lowe's). The attack infrastructure, sender pattern, and landing-page flow are identical to Variant A — only the prize is swapped. Indicates a template kit that the operators rotate periodically to evade subject-line filters.

Typical subject: 🎉 Congratulations! You've been chosen for Gorilla Carts

Variant C: Kobalt Garden Tool Set

A seasonal variant swapping in a Kobalt garden / outdoor tool bundle. Same spoofed sender, same UK origin, same landing-page kit. Expect additional rotations through other Lowe's-adjacent brands (e.g., CRAFTSMAN, Bosch, DeWalt) as the campaign continues.

Typical subject: 🎉 Exclusive Opportunity: Claim Your Kobalt Garden Tool Set

Common Characteristics

All variants share the same attack fingerprint:

  • Spoofed envelope addressLowe's <offers@lowes.com>, noreply.lowes.com, notifications.lowes.com, confirmation.lowes.com. The attackers forge the lowes.com domain in the From header, but the sending server does not belong to Lowe's.
  • Fails SPF — Lowe's publishes SPF records that list authorized sending IPs. The campaign's UK infrastructure is not on that list.
  • Fails DKIM — Real Lowe's email carries a valid lowes.com DKIM signature. The spoofed messages have no valid signature.
  • Fails DMARC — With both SPF and DKIM failing, DMARC verdict is fail; a properly configured recipient should reject or quarantine on authentication alone.
  • Celebration-emoji subject prefix — A party-popper (🎉) or similar emoji leads the subject line, a hallmark of bulk-template prize scams.
  • UK-origin infrastructure — All observed sending IPs geolocate to the United Kingdom, not Lowe's US infrastructure.
  • "Congratulations / selected / chosen" language — Prize-notification phrasing without any prior drawing, entry, or loyalty-program action on the recipient's part.
  • Urgency cue — Short claim window to short-circuit careful thinking.
  • High OpenEFA score — Average 93+ / max above 110, placing every message well above every client's quarantine threshold.

Red Flags to Watch For

  1. You did not enter a drawing. Real retailers do not award prizes to people who never entered a promotion. A "you've been selected" email out of the blue is a scam by construction.
  2. The From address alone is not proof of identity. The From header is trivially forgeable. Authentication (SPF, DKIM, DMARC) is what tells you whether the sending server was authorized by the claimed domain — and in this campaign, all three fail.
  3. Lowe's does not send promotional mail from UK infrastructure. If the Received headers show a UK sending server, the message is not from Lowe's.
  4. Celebration emoji + "Congratulations" in the subject. A standard signature of prize-giveaway scam kits.
  5. Link hover does not go to lowes.com. Any claim link pointing to a shortener, a lookalike domain, or an unrelated host is a scam. Real Lowe's links lead to lowes.com directly.
  6. Requests for payment to "cover shipping." A common second-stage ask on the landing page — a few dollars via credit card, which captures card details for later fraud.
  7. Requests for personal information. Name, address, date of birth, and payment card details — everything needed to commit identity theft.
  8. Brand-name rotation. The same infrastructure has cycled through Kobalt, Gorilla Carts, and Kobalt Garden Tools; expect further rotations. The pattern — not any one brand name — is the tell.

What You Should Do

  • Do not release from quarantine. OpenEFA has already scored and blocked these messages correctly. Releasing one trains the filter to let the next one through and exposes you to the scam.
  • Do not click the claim link. The landing page captures credentials and/or payment card details.
  • Do not reply. Any response confirms your address is monitored and marks you for further targeting.
  • Do not forward "for a laugh." Inadvertent clicks on internal forwards are a common way this class of scam reaches a careless recipient.
  • If you interacted with the landing page: treat any credentials entered as compromised — rotate the password everywhere it was used, enable MFA on those accounts, and monitor any payment card for unauthorized charges. Consider a credit freeze if personal identifiers were entered.
  • Report to the FTC at reportfraud.ftc.gov and the FBI IC3 at ic3.gov. Lowe's does not currently publish a direct phishing-report inbox; their published fraud guidance is at lowes.com/l/about/gift-card-scams.
  • Delete the email from quarantine.

How OpenEFA Protects You

This campaign is caught through a stack of machine-learning, intent, and authentication signals, each contributing to the final score:

  • Machine Learning Ensemble — OpenEFA's scikit-learn ensemble (RandomForest, GradientBoosting, and gradient-boosted models) is trained on millions of real spam and ham examples. It scores each message against learned patterns of prize-scam language, sender behavior, and structural fingerprints — catching new variants of this campaign even before any rule is written for them.
  • Intent Classification — A dedicated intent classifier reads the message and asks "what is this email trying to get the recipient to do?" Prize-claim intent — "click here to receive your reward" — is itself a high-risk signal when paired with an unsolicited sender, and is what catches Gorilla Carts, Kobalt Garden Tools, and whatever brand the operators rotate to next on the same intent fingerprint.
  • NLP Content Analysis — spaCy-powered linguistic analysis recognizes the "Congratulations / you've been selected / claim now" prize-scam language pattern regardless of which brand or prize the attackers swap in.
  • SPF / DKIM / DMARC Validation — Spoofed lowes.com fails all three; OpenEFA treats authentication failure on a brand-impersonating domain as a strong spam signal rather than a soft warning.
  • Brand Impersonation Detection — OpenEFA maintains a database of 1,000+ legitimate brand domains; mismatches between a known brand name and the authenticated sending infrastructure are scored heavily.
  • Header Forgery Analysis — Detects the divergence between the forged From: Lowe's <offers@lowes.com> header and the actual UK-origin sending server in the Received chain.
  • Phishing & URL Reputation — Claim links are evaluated against reputation feeds and homograph-detection rules; credential-harvesting landing pages are scored accordingly.
  • First-Contact Signals — Flags senders and sending infrastructure never seen before in your organization's message history.
  • Geographic Origin — UK-origin mail claiming to be from a US retail brand is a strong anomaly signal.
  • EFA Collective Threat Intelligence — Once one client's quarantine confirms a campaign, fingerprints propagate to every other OpenEFA deployment.

Machine learning and intent classification do the heavy lifting: they catch rotational variants (Gorilla Carts, Kobalt Garden Tools, and whatever comes next) on the underlying behavior and intent of the message — so we keep blocking the campaign even when the brand name, subject line, and authentication story change.

Indicators of Compromise

  • Spoofed sender: Lowe's <offers@lowes.com> (also noreply.lowes.com, notifications.lowes.com, confirmation.lowes.com)
  • Sending infrastructure: United Kingdom
  • Subject patterns:
    • 🎉 Congratulations! You've been selected for a Kobalt Tool Set
    • 🎉 Congratulations! You've been chosen for Gorilla Carts
    • 🎉 Exclusive Opportunity: Claim Your Kobalt Garden Tool Set
  • Authentication: SPF fail, DKIM fail, DMARC fail
  • First observed: March 20, 2026 — ongoing

References

OpenEFA publishes security advisories when we identify significant campaigns affecting our customers and the broader community. Bookmark this page or follow us for updates.

OpenEFA® is an AI-powered email security platform by Quantum Logic Systems, LLC. Learn more at openefa.com.

← Back to Security Advisories