TL;DR A message arrived inside a corporate forwarding-relay envelope bearing Schindler branding and a link to the official schindler.pt website. The actual origin was a free Gmail address. The message was a forward of an external email containing a URL-shortened link (abre.ai) styled as an Excel proposal download. The platform confirmed the shortlink as malicious and quarantined the recipient mailbox. The attack used the legitimate corporate relay and familiar brand presentation to disguise a Gmail-origin payload behind institutional trust.
Severity: High Malware Delivery Phishing Brand Impersonation MITRE: T1566.002 MITRE: T1204.002
The From line shows a corporate address. The signature links to an official company website. The branding is familiar and professional. The message appears to be a forwarded proposal from a vendor.
The References header points to a Gmail Message-ID.
The Forwarding-Relay Pattern and Why It Works
A corporate employee receives an external email from a free Gmail account. The original message contains a link. The employee, possibly attempting to share the proposal with a colleague, forwards it through their corporate Microsoft 365 account. The outbound envelope now carries the corporate domain's sending infrastructure: Exchange Online, SafeLinks rewriting, corporate signatures. The original Gmail sender is visible in the thread body, but the message delivery path belongs to the corporate account.
For the recipient, the visible signals are entirely institutional: a recognizable corporate sender, a standard Schindler email signature, a link to www.schindler.pt (the legitimate company website), and a forwarded proposal subject line with a file reference number. The Microsoft Exchange SCL was set to -1, suppressing further spam analysis. SafeLinks rewrote the URL, which would provide protection if the destination were in a known-bad list but does nothing for a fresh shortlink resolving to infrastructure not yet cataloged.
The attack converts a free Gmail address into a corporate-credentialed delivery vehicle. The attacker does not need to compromise the corporate account in the traditional sense; they need only to send an email compelling enough that a corporate employee forwards it. This is a phishing delivery variant that exploits internal behavior rather than external infiltration.
The Shortlink as Payload Concealment
The call to action in the forwarded message was styled as an Excel proposal download: display text reading OBTER PROPOSTA 02/2026 - FEVEREIRO - 25.02.xls 0481316144, with the actual URL resolving to hxxps://abre[.]ai/oPSj.
abre.ai is a Brazilian URL-shortening service. The shortlink mechanism serves multiple attacker purposes simultaneously. It conceals the actual destination from both human recipients and automated scanners that evaluate URLs without following them. It allows the destination to be modified after the message is distributed, enabling the attacker to serve different payloads to different recipients at different times. And it provides a single-hop redirect that can be activated or deactivated independently of the lure message.
The platform confirmed the link as malicious. The DNS record for abre.ai resolves to 167.71.108.29. The domain publishes a DMARC policy of p=reject;pct=100, meaning the shortening service itself enforces email authentication for its own domain, a configuration that does nothing to prevent the service from being used to host redirects to malicious destinations.
The shortlink pointed to an XLS download. Excel files remain a reliable malware delivery vector: the format supports macros, embedded scripts, and external data connections. A recipient who downloads and opens the file on an endpoint without macro-blocking enabled may execute attacker-controlled code without any further interaction.
See Your Risk: Calculate how many threats your SEG is missing
Time Pressure as the Social Engineering Layer
The message body set a deadline: a response was requested by February 27, two days from the message date. A numbered proposal reference with a specific date suffix (25.02) reinforces the sense that this is a real document in an active procurement process.
The time pressure is designed to shorten the deliberation window. A recipient who might otherwise verify the sender's identity through a separate channel is instead moved toward immediate action: download the file, review the proposal, respond before the deadline. The format mirrors legitimate B2B communication closely enough that the verification instinct does not fire automatically.
The message was sent to an internal address at the recipient organization, delivered with SCL=-1, and carried Microsoft Information Protection labels from the forwarding account's tenant policy. Each of these signals contributes to the institutional legitimacy impression. None of them validate the payload.
What Platform Detection Flagged That Gateway Inspection Did Not
The email account compromise relay in this attack ran through legitimate infrastructure at every layer: a real corporate Exchange tenant, a real company's email signature, a real shortening service, SafeLinks rewriting. The gateway had no domain-age signal to act on for abre.ai (the service has an established presence), no reputation signal for the specific shortlink path, and no behavioral anomaly on the sending domain.
The malicious verdict came from link-reputation analysis that evaluated the resolved destination of the shortlink rather than the shortlink itself. That analysis confirmed the link as malicious and triggered quarantine of the recipient mailbox.
The MITRE ATT&CK framework classifies this delivery pattern as Spearphishing Link (T1566.002) with a secondary User Execution technique (T1204.002) for the XLS payload. The Verizon DBIR 2026 identifies malware delivery via email links as a persistent initial-access method. CISA specifically warns against following URL shortlinks in unexpected business communications, noting that the redirect layer prevents destination verification before the link is clicked. The Microsoft Digital Defense Report 2024 identifies forwarded-message attacks using corporate envelopes as a growing technique for bypassing sender-reputation controls.
For security teams: any inbound message where the References or In-Reply-To header points to a free mail provider (gmail.com, yahoo.com, hotmail.com) while the From address belongs to a corporate domain should be treated as a forwarded-relay pattern and subjected to elevated link analysis regardless of the sending domain's reputation.
---
| Type | Indicator | Context |
|---|
| URL | hxxps://abre[.]ai/oPSj | Confirmed-malicious shortlink; resolves to XLS malware download |
| Domain | abre[.]ai | Brazilian URL-shortening service; A record 167.71.108.29 |
| Email | compras[.]casd[@]gmail[.]com | Original external Gmail-origin sender embedded in forwarded thread |
| Filename | PROPOSTA 02/2026 - FEVEREIRO - 25[.]02[.]xls | Referenced XLS malware download target |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
