The email looked exactly like a legitimate Asana workspace invitation. The formatting matched Asana's standard notification template. The links pointed to app.asana[.]com. The sending infrastructure was Amazon SES, which is how Asana actually delivers its notifications. SPF, DKIM, and DMARC all passed for asana[.]com.
The claimed inviter was Meta.
The inviter's actual email address was a randomized string on a domain with no web presence, registered recently with privacy protection and no verifiable connection to Meta or any other technology company.
To send an Asana invitation, the attacker simply needed an Asana account and the ability to create a workspace. No compromised account, no zero-day exploit, no malicious domain to put in an email. The attacker registered a fresh domain with a privacy-obscured registrar, created an Asana workspace, and sent an invite claiming the organization behind it was "Meta" with a reference to an account number.
The inviter address, formatted as a 10-character randomized local part at daouse[.]com, provided no meaningful identity. daouse[.]com was registered through Domain Collage LLC with privacy-protected WHOIS. At delivery time, the domain had been active for a relatively short period with no documented web presence.
The recipient at a digital advertising company received a notification from what appeared to be a Meta-initiated workspace join request.
The email passed every authentication check:
54[.]240[.]65[.]107 authorized for asana[.]com)asana[.]com)compauth=passAll links in the notification pointed to app.asana[.]com endpoints: registration, accept-invite, and login flows. These scanned clean because they are clean. They are real Asana URLs. There was no external credential harvesting page to detect, no attacker domain to block, no malicious payload in the attachment.
The attack surface was inside Asana itself. Once the recipient accepted the invite, the attacker-controlled workspace would become the attack environment. Content placed inside the workspace after invite acceptance (fake login prompts, malicious file links, social engineering messages) would be delivered within a platform the recipient had just voluntarily joined.
This is the structural characteristic of email spoofing via SaaS platform abuse: the email delivery phase is fully clean and authenticated by design. The attacker is not bypassing the authentication system. The attacker is using it correctly to impersonate a trusted brand.
daouse[.]com carries every attribute associated with single-use phishing infrastructure. Privacy-protected WHOIS. Recently registered. Registered through a registrar (Domain Collage LLC) that appears consistently in phishing campaigns. No web presence. No established relationship with the recipient organization. The randomized local part (34q6n9ctpm@daouse[.]com) means the address has never been seen before and provides no reputation signal.
Authentication for asana[.]com tells evaluators nothing about daouse[.]com. The two domains are independent. Asana sends the notification. Asana's authentication is what passes. The inviter's domain is referenced only in the notification body as the organizer. No SPF or DKIM evaluation touches daouse[.]com in this flow.
This is the fundamental gap in authentication-centric evaluation: the system that is being authenticated (Asana) is not the party whose trustworthiness matters for this decision. The party whose trustworthiness matters (the operator behind daouse[.]com) is not evaluated by authentication at all.
The recipient had no established relationship with the claimed inviter. The claimed inviter identity (Meta) did not match any known partner or vendor. The inviter address used a randomized local part on a freshly registered, privacy-protected domain. No recipient personalization was present in the template, consistent with bulk campaign delivery.
Themis, the IRONSCALES Adaptive AI engine, flagged this message by correlating signals that authentication alone cannot produce: the gap between the claimed inviter identity and the actual inviter domain's characteristics, the absence of any prior relationship between the recipient and the inviter domain, and the pattern of platform abuse via SaaS invitation as a delivery channel. These are behavioral signals requiring contextual knowledge of the recipient organization's vendor relationships and domain-age data on the inviter, not just header parsing.
The IRONSCALES platform linked to here provides the platform capabilities that surface these multi-signal behavioral verdicts on messages that pass every technical filter.
Within the broader community threat feed, the Asana platform abuse vector had appeared in prior campaigns targeting technology and advertising sector organizations. Community intelligence on that pattern accelerated the detection verdict.
Asana is one of many platforms that can be weaponized this way. Google Calendar, Trello, DocuSign, SharePoint, Dropbox, and other widely used SaaS tools all have notification and invitation flows that, when abused, produce fully authenticated emails with no attacker-controlled delivery infrastructure. The legitimate platform's authentication credentials every message.
Defenders who rely on domain reputation, URL scanning, and authentication results as their primary signal layers have no technical indicator to act on when the entire delivery chain is genuinely clean. The detection surface is behavioral: unexpected invitations from claimed organizations with no established relationship, using inviter addresses on freshly registered privacy-protected domains, sent without personalization to recipients whose roles are publicly visible on platforms like LinkedIn.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sending Infrastructure | 54[.]240[.]65[.]107 | Amazon SES sending IP authorized for asana.com |
| Inviter Address | 34q6n9ctpm@daouse[.]com | Randomized local part, freshly registered inviter domain |
| Inviter Domain | daouse[.]com | Privacy-obscured WHOIS, Domain Collage LLC registrar, no web presence |
| Claimed Inviter Identity | "Meta" | Claimed organization name in Asana invite notification |
| Claimed Account | Account #18094323 at daouse[.]com | Reference in invite subject |
| All Notification Links | app.asana[.]com | Legitimate Asana endpoints; scanned clean |
| DKIM Signing Domain | asana[.]com | All auth passes for Asana, not inviter domain |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Invitation link to attacker-controlled Asana workspace |
| Impersonation | T1656 | Claimed Meta identity with no verifiable connection to Meta |
| Acquire Infrastructure: Web Services | T1583.006 | Asana and Amazon SES used as delivery infrastructure; fresh domain as inviter identity |
| Attack | What happened |
|---|---|
| The Teams Meeting Notification That Led to an AWS Lambda Credential Harvester | A Microsoft Teams meeting notification impersonated a recipient's organization in the display name and routed the 'OPEN' button through a AWS Lambda... |
| Every Link Was Real: DocuSign Reply-To Diversion With a Same-Day Domain | A phishing email sent through legitimate DocuSign infrastructure passed SPF, DKIM, and DMARC with perfect scores. |
| The PayPal Invoice That Passed Every Check Because PayPal Actually Sent It | A canceled PayPal invoice for $50 arrived with perfect SPF, DKIM, and DMARC authentication because PayPal's own infrastructure sent it. |
| The Partner Invite That Used the Wrong Sending Domain | A calendar invite appeared to be from an IRONSCALES employee arranging an ANZ distribution call. |
| Three Domains, Two Brands, One Frankenphish: The DocuSign Lure That Led to Mailchimp | A DocuSign-themed email stitched together Lloyds Banking Group Qualtrics survey blocks, resolved its CTA to Mailchimp. |