onmicrosoft[.]com tenant address (ByIYmtdb[@]abde10[.]onmicrosoft[.]com, connecting IP 213[.]255[.]227[.]145). Authentication: SPF fail, no DKIM, no DMARC, compauth fail. The 'CLAIM MY FREE SAFETY BOX' CTA routed through a Microsoft SafeLinks wrapper to ww[.]apolokmi[.]sa[.]com (IP 185[.]53[.]179[.]138), a domain listed in URI blocklists and associated with phishing/spam campaigns.# AAA Brand Impersonation Uses Unauthorized OnMicrosoft Tenant and SafeLinks-Wrapped Blocklisted Harvest Domain
A mass-targeting phishing campaign impersonating AAA (American Automobile Association) arrived with a "Today Only: Free Car Emergency Kit" subject line, failed every authentication check, and still reached inboxes. The attacker used a Microsoft 365 tenant sending from an unauthorized IP and wrapped the malicious CTA in a Microsoft SafeLinks URL, betting that the Microsoft-branded redirect would delay or prevent blocklist detection. The final destination was a URI-blocklisted credential-harvesting domain.
The email claimed to offer a "AAA RoadReady Safety Box" as a free member benefit. The design was high quality with AAA-adjacent styling, a "CLAIM MY FREE SAFETY BOX" button, and a footer reading "2025 AAA Member Programs." No links in the body pointed to legitimate AAA properties (aaa[.]com). The entire brand presentation was fabricated.
The sender address was ByIYmtdb[@]abde10[.]onmicrosoft[.]com. This is a Microsoft 365 default tenant subdomain address, not an official AAA sending domain. The connecting IP was 213[.]255[.]227[.]145 (no PTR, geolocation: Dallas, US). That IP is not authorized by the tenant's SPF record, which requires Microsoft protection hosts. Authentication results: SPF fail, no DKIM signature, no DMARC record for the sending domain, compauth fail (reason 001).
The CTA routed through a Microsoft SafeLinks wrapper before resolving to ww[.]apolokmi[.]sa[.]com (A record: 185[.]53[.]179[.]138). The ww subdomain is intentional; it mimics the visual appearance of www at a glance. The apolokmi[.]sa[.]com domain appears in URI blocklists (URIBL/CT SURBL) and has been reported in prior spam and phishing campaigns. The domain's DNS configuration is notably poor: nameservers resolve to ns1-expired[.]sav[.]com and ns2-expired[.]sav[.]com, suggesting an older or recycled attacker infrastructure.
SafeLinks abuse is the primary evasion mechanism here. Microsoft SafeLinks rewrites URLs in emails to route clicks through a Microsoft-hosted safety check. Attackers can construct emails in which the malicious CTA is already encoded as a SafeLinks URL before it reaches the recipient's inbox. When a recipient sees the link, they see a safelinks.protection.outlook[.]com URL, not the attacker's domain.
This creates a reputation-laundering effect identical to the infrastructure-abuse pattern seen with Dynamics 365, Mandrill, and other legitimate platforms. The SafeLinks wrapper is a Microsoft domain. URL scanners that check only the first hop report a clean Microsoft URL. The attacker's blocklisted domain is hidden one redirect deep.
The OnMicrosoft tenant address compounded the deception. *.onmicrosoft.com reads as Microsoft-affiliated to a non-technical recipient. The authentication failures (SPF fail, no DKIM, no DMARC) are the correct signal to act on, but only if the receiving environment enforces on compauth fail rather than treating it as a scoring input.
The free-offer social engineering angle was calibrated for consumer response patterns. Urgency ("Today Only"), a desirable object ("Free Car Emergency Kit"), and a familiar brand combine to produce a low-friction click. Low personalization confirms mass distribution targeting scale over precision.
See Your Risk: Calculate how many threats your SEG is missing
The IRONSCALES platform followed the SafeLinks redirect chain to resolution and evaluated the terminal domain ww[.]apolokmi[.]sa[.]com against reputation databases. The URI blocklist hit on the destination domain was the primary detection signal. Secondary signals included the complete authentication failure stack (SPF fail, no DKIM, no DMARC, compauth fail), the absence of any legitimate AAA links in an email claiming to be from AAA, and the low-personalization mass-targeting profile.
The subdomain pattern ww. rather than www. was flagged as a visual-deception indicator consistent with impersonation infrastructure.
Full redirect-chain resolution is required to catch SafeLinks-wrapped malicious destinations. Stopping at the SafeLinks URL reports clean. Following the redirect to the terminal domain exposes the blocklisted attacker infrastructure.
Treat compauth fail as a hard signal on consumer-brand impersonation. When an email claims to be from a well-known consumer brand and arrives with SPF fail, no DKIM, no DMARC, and compauth fail, those authentication signals are load-bearing. The message has no legitimate explanation for those failures.
OnMicrosoft tenant addresses should not carry implicit trust. A *.onmicrosoft.com sender sending from an unauthorized IP with a complete authentication failure stack is a disposable attacker tenant, not a legitimate Microsoft customer. Apply the same scrutiny to this address class as to any unknown external sender with authentication failures.
Monitor for URI blocklist hits at click time, not just at delivery. SafeLinks and similar wrappers shift the detection opportunity from delivery to click. Ensure your environment can act on a blocklist match at the moment a user clicks, not only when the message arrives.
| Type | Indicator | Notes |
|---|---|---|
| Sender address | ByIYmtdb[@]abde10[.]onmicrosoft[.]com | Unauthorized OnMicrosoft tenant; not an official AAA sending domain |
| Connecting IP | 213[.]255[.]227[.]145 | No PTR; Dallas, US; not authorized by tenant SPF |
| Harvest domain | ww[.]apolokmi[.]sa[.]com | URI-blocklisted; URIBL/CT SURBL hits; attacker harvest destination |
| Harvest IP | 185[.]53[.]179[.]138 | A record for ww[.]apolokmi[.]sa[.]com |
| Harvest DNS | ns1-expired[.]sav[.]com, ns2-expired[.]sav[.]com | Expired/degraded nameserver configuration on attacker domain |
| Delivery mechanism | Microsoft SafeLinks wrapper | Used to conceal ww[.]apolokmi[.]sa[.]com behind trusted Microsoft redirect |
| Authentication | SPF=fail, DKIM=none, DMARC=none, compauth=fail (reason=001) | Complete authentication failure stack |
| Impersonated brand | AAA (American Automobile Association) | No legitimate AAA links present |
| MITRE | T1566 | Phishing |
| MITRE | T1598 | Phishing for Information |
| Attack | What happened |
|---|---|
| This Phishing Email Passed SPF, DKIM, and DMARC. It Was Still Malicious. | A phishing campaign abused Amazon SES to deliver a Microsoft-branded document notification with full SPF, DKIM, and DMARC authentication. |
| The Email That Passed Every Security Check (Because Adobe Sent It) | A phishing campaign targeting school district staff used Adobe's own sending infrastructure, real DKIM signatures. |
| The Phishing Infrastructure Was Canva. The Delivery Mechanism Was Canva. The Authentication Was Canva. | An attacker signed up for Canva, built a phishing lure as a design, and used the platform's own sharing feature to deliver it. |
| When the Sender Domain Is Also the Phishing Kit Host: Dual-Purpose Domain Compromise | An attacker compromised a legitimate manufacturing company domain and used it two ways at once: as the authenticated sending address and as the host for... |
| The Subdomain That Fused Two Trusted Brands Into One Convincing Lie | Attackers fused two real brand names into a single subdomain, routed the message through Zix infrastructure to inherit enterprise authentication. |