The email looked like a construction bid invitation. The branding was right. The project context was right. The contact details for a reprographics firm were right. The link was not.
Two recipients at a commercial organization were quarantined the same message: a plan room notification styled as a Wagner General Contractors project invitation. The email was formatted as a professional bid-coordination template (project name, invitation to view documents online, contact phone for the reprographics vendor). The "View project online" button was the entire purpose of the message.
That button resolved to nasr[.]org[.]uk.
nasr[.]org[.]uk was registered on May 10, 2025 via Namecheap, using the registrar's default hosting nameservers (dns1.namecheaphosting.com). The domain is approximately 13 months old. There is no registrant organization, no identifiable public presence in the construction or plan room industry, and no legitimate reason for a Wagner-branded project invitation to route there.
This is URL rewriting in its simplest form: the visible CTA text says "View project online," the displayed branding says Wagner, and the actual href delivers the victim to an unrelated domain the attacker controls. The mismatch between branded sender content and CTA destination is the defining indicator of this attack class.
The automated link scanner returned a clean verdict on nasr[.]org[.]uk at scan time. A clean verdict from a reputation feed reflects the domain's history at the moment of the check. A 13-month-old Namecheap domain with no prior flagged activity has no negative history to return. Reputation-feed verdicts are a trailing indicator; freshly-registered redirect domains exploit that lag. The phishing determination here rested on the brand mismatch and behavioral signals, not on the URL verdict.
MITRE ATT&CK T1583.001 covers acquiring infrastructure for phishing operations; nasr[.]org[.]uk represents that acquisition. T1656 (impersonation) covers the Wagner brand and professional plan room template used throughout the message. T1566.001 covers the spearphishing email delivery vector.
The message was sent through Amazon SES from IP 54.240.27.154, confirmed by reverse DNS to a27-154.smtp-out.us-west-2.amazonses.com. SPF passed for the SES outbound IP range. DKIM passed for two signatures: granrubina[.]com (the envelope sender domain) and amazonses.com (the SES signing domain). The DMARC result was recorded as bestguesspass.
ESP abuse is the technique: Amazon SES is legitimate email sending infrastructure. Messages dispatched through it inherit its IP reputation, its DKIM signing capability, and the trust signals that reputation-based filters assign to large cloud email providers. The authentication tells you the message genuinely came from an SES account authorized for granrubina[.]com, a domain registered in 2012 that appears to have been compromised and configured for this sending operation.
What the authentication does not tell you is that Wagner General Contractors or any affiliated plan room service authorized the content of the message, chose nasr[.]org[.]uk as a CTA destination, or had any involvement in the sending. The envelope passed. The brand claim in the body was fabricated.
See Your Risk: Calculate how many threats your SEG is missing
Plan room notifications are routine in construction procurement. General contractors, subcontractors, and reprographics firms exchange bid invitations constantly across a project's pre-construction phase. Recipients are conditioned to click "View project" links as a normal part of their workflow. An impersonation attack that mirrors a familiar notification format carries lower cognitive friction than a cold phishing message. The template matches expectations, the project details add specificity, and the reprographics contact details provide a phone number that appears verifiable (though using a number from the email to verify the email is circular).
The mixed domain footprint in the message was an additional signal. Unsubscribe links and image assets in the email body pointed to wagnerplanroom[.]com, a domain associated with the impersonated brand but lacking DMARC records. The CTA routed to nasr[.]org[.]uk. A legitimate plan room invitation from a single platform would have all actionable links on the platform's own domain. The split between branded infrastructure links and an unrelated CTA destination is a structural tell the attack could not avoid.
IRONSCALES quarantined the message for both recipients at SCL=5, flagged the first-time external sender sending via a non-matching brand domain, and detected the CTA-to-brand-domain mismatch as a behavioral risk signal independent of the URL reputation verdict. The automated clean verdict on nasr[.]org[.]uk was not sufficient to override the combined behavioral picture.
The takeaway for security teams is consistent with the broader impersonation pattern at scale: authentication passing and a clean URL verdict at scan time are table stakes, not proofs of legitimacy. A freshly-registered redirect domain behind a professional-looking template is exactly the combination that defeats gateway filters relying on those two signals alone.
| Type | Indicator | Context |
|---|---|---|
| Redirect domain | nasr[.]org[.]uk | Registered 2025-05-10; Namecheap; no construction industry presence; resolves as CTA destination for Wagner-branded invitation; scanner verdict clean at scan time |
| Sender domain | granrubina[.]com | Registered 2012; Tucows; appears compromised; configured as SES sending identity; DKIM pass; SPF pass via SES |
| SES source IP | 54.240.27[.]154 | Amazon SES outbound relay (us-west-2); legitimate ESP infrastructure used as delivery vehicle |
| Impersonated brand | Wagner General Contractors / wagnerplanroom[.]com | Brand identity used in template; wagnerplanroom.com lacks DMARC record; not attacker infrastructure |
| Behavioral signal | First-time sender; SCL=5; quarantined | Both recipients quarantined; high sender risk rating; SES-sent first-contact from non-Wagner domain |
| Attack | What happened |
|---|---|
| "HubSpot Team" from Someone Else's Domain: SES Authentication as a Phishing Shield | Attackers spoofed HubSpot from a personal marketing domain via Amazon SES, passing full SPF/DKIM/DMARC. |
| HelloSign's Reputation, Attacker's Domain: How a 9-Day-Old HR Portal Hijacked a Trusted E-Signature Platform | Attackers registered filesignportal.com nine days before using HelloSign to deliver a fake HR payroll e-signature request. |
| Procom Background Check Lure Delivers Zero-Width Obfuscation and a Malicious CTA via Amazon SES | Attackers cloned Procom staffing branding and delivered a procurement/background-check lure through Amazon SES. |
| The Phishing Link Lived on a Domain That Didn't Exist Nine Hours Earlier | A compromised university student account sent a phishing email that passed SPF, DKIM, and DMARC. |
| The Health Spending Account Alert That Rode a Benefits Administrator's Own Infrastructure | An Anthem-branded spending account notification routed through a legitimate benefits administrator's redirect infrastructure. |