Threat Intelligence

Blog

Blog

The Email That Shipped With Its Template Tokens Still In It (And Still Worked)

Audian Paxson

A phishing campaign targeting a finance team arrived with broken mail merge tokens literally visible in the subject line. Despite this, the email passed SPF, DKIM, and Microsoft EOP with a spam confidence...

The Email That Shipped With Its Template Tokens Still In It (And Still Worked)

All posts

2026
AI
Attack of the Day
Email Security
IRONSCALES Attack Research
Phishing
SOC
Credential Theft
Impersonation
Vishing
Account Takeover
Payment Fraud
Platform Abuse
BEC
Malware
Supply Chain

The Email That Shipped With Its Template Tokens...

TL;DR A phishing campaign targeting a finance team arrived with broken mail merge tokens literally...

The Security Tools That Became the Camouflage

TL;DR A phishing campaign used Amazon SES to pass full SPF/DKIM/DMARC authentication, then buried...

SPF Passed. DMARC Passed. DKIM Didn't. What That...

TL;DR A business email compromise attempt targeting a finance administrator at a regional public...

The Payload Was a Phone Number: How a Google...

TL;DR A threat actor registered scoolsd[.]com on the morning of March 17, 2026, spun up a Google...

When the Safety Wrapper Becomes the Disguise:...

TL;DR Attackers sent a convincing Portuguese-language NF-e (Brazilian electronic invoice)...

Microsoft Bookings as a Weapon: When DMARC Says...

TL;DR Attackers weaponized Microsoft Bookings to deliver a convincing appointment confirmation to...

The Recipe Card That Passed Every Authentication...

TL;DR A phishing campaign disguised as a Canva design-share notification passed every email...

Two Security Vendors Scanned This Link and Both...

TL;DR A phishing email impersonating a Microsoft Office 365 encrypted message notification, branded...

The Email That Passed Every Security Check...

TL;DR A phishing campaign targeting a K-12 school district used Adobe's actual email infrastructure...

The Flow Failure Alert That Came From the Wrong...

TL;DR An attacker registered a test Microsoft 365 tenant whose subdomain closely mirrored a...

The Tax PDF That Every Scanner Declared Clean (It...

TL;DR A PDF titled 'Tax Document' landed in four mailboxes at a mid-market financial services firm...

Trusted Sender, Wrong Identity: How a Compromised...

TL;DR Attackers compromised a legitimate engineering firm's email account and used it to send...

Triple-Brand Credential Harvest: How Attackers...

TL;DR Attackers registered a .cz domain days before launching a credential-harvest campaign through...

The Vendor Thread That Bit Back: How a Legitimate...

TL;DR A software engineering team lead at a mid-size tech company received a phishing email...

No SPF. No DKIM. No DMARC. No Problem (For the...

TL;DR Attackers spoofed a SharePoint drive notification using a display name crafted to look like...

The Funding Email That Passed Every Filter By...

TL;DR A financial fraud phishing email impersonating a capital funding firm used invisible Unicode...

The Domain Registered This Morning: How a...

TL;DR On March 30, 2026, a phishing email sent from a compromised student account at a Russian...

The Invoice That Passed Every Email Check: How...

TL;DR Attackers hijacked a real vendor email thread about outstanding invoices at a mid-size energy...

When 'Release from Quarantine' Is the Attack

TL;DR Attackers sent a fake email quarantine digest from serverdata.net infrastructure, embedding...

The PDF Was a Decoy. The QR Code Was the Weapon.

TL;DR In March 2026, a targeted credential harvesting attack against a cybersecurity firm used a...

The Meeting Invite That Knew Your Email Address

TL;DR Attackers sent a flawless Microsoft Teams meeting invite to a staff accountant at a mid-size...

When the Sender Domain Is Also the Phishing Kit...

TL;DR Attackers compromised a legitimate, decades-old manufacturing company domain and weaponized...

The Contract You Didn't Request Has a QR Code You...

TL;DR Attackers sent a blank-body email with a PDF attachment disguised as a contract agreement....

Pixel-Perfect Procore Impersonation Hides Behind...

TL;DR Attackers impersonated Procore's submittal notification system using Amazon SES for clean...

She Clicked the Bid Invitation and Handed Her...

TL;DR Attackers used a likely compromised operations director account at a legitimate Canadian...

The PDF That Let the Human In and Locked the...

TL;DR Attackers used a password-protected PDF sent from what appears to be a compromised state...

Password-Protected PDFs Are the New Sandbox...

TL;DR Attackers compromised a paraprofessional's account at a state academy for the blind and used...

Redirect Laundering: How Attackers Weaponize...

TL;DR Attackers are laundering malicious URLs through legitimate security and cloud infrastructure...

Three Hops, Two Brands, One Fake WAV File: Inside...

TL;DR Attackers targeting a regional community bank sent a phishing email with a fake audio...

The LinkedIn Invoice That Passed Every Email Check

TL;DR Attackers registered linkedinreceivables-mail.com just weeks before launching a BEC campaign...

The $15,247 Invoice That Came With Its Own W-9

TL;DR Attackers sent a $15,247.75 invoice to an energy company's accounts payable team from...

Fake Google 'Open to Edit' Alert Hides a Kajabi...

TL;DR A phishing email mimicking a Google Docs sharing notification used a compromised UK...

The Email Came From Google. The Law Firm Did Not.

TL;DR Attackers impersonated law firm Alston & Bird LLP using Cyrillic and Unicode homoglyph...

Funding Agreement, Forged Approval: How a...

TL;DR Attackers sent a credential-theft email from a privacy-masked Italian domain through Amazon...

The Health Supplement That Harvested Credit...

TL;DR Attackers used ActiveCampaign's legitimate mailing infrastructure to deliver a polished...

The Fireflies Meeting Recap That Never Happened:...

TL;DR Attackers used Amazon SES to deliver a phishing email that simultaneously impersonated...

The Audit Request That Passed Every...

TL;DR Attackers compromised a legitimate nonprofit organization's email account and used it to...

No Links. No Attachments. No Malware. Just Five...

TL;DR A threat actor impersonating the CEO of a cybersecurity company sent a five-sentence email to...

Someone Filed a False Positive on This Azure TOAD...

TL;DR Attackers created a real Azure subscription with a resource group named 'pay-cbb33c4ab1' and...

The Voicemail That Wasn't: How Calendar File...

TL;DR A phishing attack delivered a voicemail-themed .ics calendar attachment from a compromised...

The Azure Alert That Billed You $459: When...

TL;DR Attackers weaponized Azure's notification infrastructure to deliver phishing emails from...

When SPF, DKIM, and DMARC All Pass. And the Email...

TL;DR Attackers abused a legitimate nonprofit fundraising platform to send fully authenticated...

For Enterprises

For MSPs & MSSPs

Protect Better

Simplify Operations

Empower Your Org

17,000+ Customers and Counting

Case Studies

Reviews

Osterman Research: AI Trends in Cybersecurity

Case Study: Concentrix

Our Awards

How IRONSCALES Works

Platform Overview

API Integration

Artificial Intelligence

Human Element

Agentic Capabilities

Agents Overview

Red-Teaming Agent

Phishing SOC Agent

Phishing Simulation Agent

Platform Tours

BY USE CASE

Business Email Compromise

Advanced Malware & URL Attacks

Generative AI Attacks

Account Takeover Attacks

Deepfake Attack Protection

DMARC Management

Phishing Simulation Testing

Security Awareness Training

BY PLATFORM

BY PROJECT

BY INDUSTRY

BY ROLE

LEARN

Blog

Threat Intelligence Center

Cybersecurity Glossary

Resource Library

Guides

Platform Tours

CONNECT

Events

Newsletter

LinkedIn

The Hidden Gaps in SEG Protection

New Gartner® Email Security Magic Quadrant™

Are Deepfake Emails Phishing 3.0?

Phishing Prevention

Spear Phishing

Voice Phishing

BY TYPE

MSPs and MSSPs

Resellers

Technology Partners

ENGAGE

Become Partner

Partner Portal

Partner with IRONSCALES