The Aeroplan Bonus That Came From a Consumer ISP in Melbourne and Landed on a Staging Platform

The email announced that the recipient qualified for an Aeroplan bonus. The branding looked like Air Canada. The "SIGN IN" button looked like a loyalty portal. The From header said Mail[.]aircanada[.]com. None of it was real.

The message was sent from 60[.]241[.]243[.]250, a static residential IP assigned to TPG Telecom, a consumer ISP in Melbourne, Australia. The PTR record confirmed it: 60-241-243-250[.]static[.]tpgi[.]com[.]au. SPF failed because the IP has no relationship to Air Canada's authorized sending infrastructure. DKIM was absent entirely. No DMARC record existed for the Mail[.]aircanada[.]com subdomain. Every authentication signal that should have existed was missing.

A Staging Platform as the Credential Page

The "SIGN IN" call-to-action linked to islandleighanna-org[.]us[.]stackstaging[.]com/template/images/ntsa/2/h/, a subdomain on StackPath's staging platform. The stackstaging[.]com parent domain was registered in 2016 through Tucows and hosts staging environments for StackPath customers. The phishing subdomain resolved to 185[.]146[.]165[.]97.

This is a pattern worth understanding. Attackers provision credential harvesting pages on legitimate web hosting platforms because the parent domain carries clean reputation. URL reputation engines that evaluate the root domain rather than the full path see stackstaging[.]com as infrastructure, not as a threat. The page gets HTTPS with a valid certificate. The staging environment is temporary and disposable.

No SPF, DKIM, or DMARC records existed for the staging subdomain itself. No DNSSEC was configured. The attacker needed only a StackPath account to provision fake login pages on trusted infrastructure, then point the phishing email at it.

See Your Risk: Calculate how many threats your SEG is missing

The Header That Dated Itself

The X-Mailer header declared Microsoft Outlook Express 6. That mail client shipped with Windows XP and was discontinued in 2006. No legitimate organization is sending marketing emails through Outlook Express in 2025. The header is a fingerprint of a scripted sending tool that has not been updated in over a decade. It is a minor detail, but minor details accumulate. A consumer ISP source, a missing DKIM signature, an absent DMARC record, a discontinued mail client, and a staging-platform credential page all pointing in the same direction.

The message carried no attachments. The entire attack surface was the link. Themis flagged the convergence of authentication failures, first-time sender behavior from consumer IP space, and a CTA destination inconsistent with the impersonated brand. The email was quarantined before the credential page could collect anything.

Indicators of Compromise

MITRE ATT&CK Mapping