SPF passed. DKIM passed (twice, for both asana[.]com and amazonses[.]com). DMARC passed. Every link pointed to app[.]asana[.]com. The sending IP belonged to Amazon SES, Asana's legitimate infrastructure. No spoofing, no forgery, no header manipulation.
Asana sent this email. The problem was what it said.
The subject line read: "Action Required: Meta invited you to join Account #18094323 at daouse[.]com." The body used Asana's standard workspace invite template with brand-consistent images, layout, and call-to-action buttons. The inviter identity claimed to be "Meta." The inviter address was 34q6n9ctpm@daouse[.]com, a randomized string at a recently registered, privacy-obscured domain with no relationship to Meta.
An attacker created an Asana workspace, configured a fraudulent inviter identity, and let the platform handle the rest. The email was the delivery vehicle. The workspace was the attack surface.
The traditional phishing model requires attacker-owned infrastructure: a spoofed domain, a compromised relay, a lookalike login page. Each creates a signal that security tools can evaluate. SaaS platform abuse inverts that model entirely.
In this case, the attacker needed nothing beyond an Asana account. They created a workspace, set the inviter identity to impersonate Meta, and triggered a standard invite to the target. Asana's infrastructure handled everything else. The MITRE ATT&CK framework classifies this as T1585.001 (Establish Accounts: Social Media Accounts), though "establish accounts" undersells it. The attacker established a fully functional workspace on a trusted collaboration platform, then weaponized its native notification system.
The invite was indistinguishable from a legitimate Asana workspace invitation because it was one. Same HTML template. Same CTA buttons linking to app[.]asana[.]com/0/accept-invite and app[.]asana[.]com/0/auth/register endpoints. Authentication confirmed what it was designed to confirm: asana[.]com sent this email. It had no mechanism to evaluate whether the person who triggered that send was impersonating a Fortune 50 company.
Every URL in the email resolved to legitimate Asana infrastructure:
`` hxxps://app[.]asana[.]com/0/accept-invite/... hxxps://app[.]asana[.]com/0/auth/register/... hxxps://app[.]asana[.]com/0/auth/login/... ``
Link scanners evaluated these endpoints and returned clean verdicts. They were correct. The URLs resolve to real Asana pages. No attacker domain in the chain, no redirect to a credential-harvest page, no malicious payload hosted anywhere a scanner can reach.
This is Spearphishing Link (T1566.002) at its most frustrating: the link IS the legitimate platform. The malicious intent exists entirely in the workspace the target would join after clicking "Accept Invite." According to the Verizon 2024 Data Breach Investigations Report, phishing remains the dominant initial access vector. Campaigns like this one illustrate why: when the delivery infrastructure is identical to legitimate business communication, reputation-based defenses have nothing to evaluate.
This is what separates this case from typical SaaS abuse. In most platform abuse attacks (Canva designs, Google Docs lures, Dropbox shares), the email links to a static page containing a credential-harvest form or redirect. The collaboration tool is the delivery mechanism, but the payload lives elsewhere.
Here, the workspace itself is the payload. If the recipient accepts, they join an Asana workspace controlled by the attacker. From inside that workspace, the attacker can:
The target has already opted in by accepting the invite. The psychological barrier to clicking a link inside a shared task is far lower than clicking a link in an unsolicited email.
See Your Risk: Calculate how many threats your SEG is missing
The inviter address, 34q6n9ctpm@daouse[.]com, is the one signal that breaks the illusion. The local part is a randomized 10-character alphanumeric string, consistent with automated account provisioning rather than a real person. The domain daouse[.]com was recently registered through Domain Collage, LLC with privacy-obscured WHOIS records, no web presence, and no verifiable connection to Meta.
The subject line combined Masquerading (T1036.005) with social engineering pressure: "Action Required" creates urgency, "Meta" creates authority, and "Account #18094323" creates specificity mimicking an enterprise onboarding process. No recipient personalization appeared anywhere in the body, suggesting a spray campaign rather than a targeted operation.
Themis, the IRONSCALES Adaptive AI, identified this email as suspicious based on signals outside the authentication layer: the inviter claimed to be Meta, but the inviter domain was a recently registered, privacy-shielded entity with no Meta affiliation. The email was an unsolicited workspace invitation with no prior business relationship, no recipient personalization, and a randomized inviter address inconsistent with legitimate enterprise provisioning.
None of these signals appear in SPF, DKIM, or DMARC results. All of them require understanding context, not cryptographic verification.
If your email security policy auto-allows messages from asana[.]com, google[.]com, dropbox[.]com, or docusign[.]com based on domain reputation or authentication results, you have a bypass that attackers can activate on demand. Three things worth evaluating:
Audit workspace invite policies. Workspace invitations create persistent access. A user who accepts a fraudulent invite joins an environment where the attacker can deliver follow-on attacks through tasks, messages, and shared files.
Evaluate unsolicited SaaS notifications as a threat category. The distinguishing signals are behavioral: first-time inviter, brand-claim mismatch between the inviter identity and the inviter domain, randomized sender addresses, and missing recipient personalization.
Correlate across mailboxes. A single Asana invite is ambiguous. The same workspace invitation hitting multiple employees with no prior Asana relationship to Meta is a campaign. Per-message evaluation at the gateway misses that pattern.
Authentication confirmed asana[.]com sent this email. The question it cannot answer is whether the workspace behind the invite was built with malicious intent. That requires a fundamentally different kind of analysis.
---
MITRE ATT&CK Mapping
---
Indicators of Compromise
| Type | Indicator | Context |
|---|---|---|
| Sender | no-reply@asana[.]com | Legitimate Asana sending address (platform-native) |
| Sending IP | 54[.]240[.]65[.]107 | Amazon SES (legitimate Asana infrastructure) |
| Inviter address | 34q6n9ctpm@daouse[.]com | Randomized string at attacker-registered domain |
| Inviter domain | daouse[.]com | Recently registered, privacy-obscured WHOIS via Domain Collage, LLC |
| Workspace account | Account #18094323 | Attacker-created Asana workspace identifier |
| Subject line | Action Required: Meta invited you to join Account #18094323 at daouse[.]com | Brand impersonation + urgency framing |
| Claimed inviter identity | Meta | Fraudulent brand claim with no connection to inviter domain |
| CTA endpoints | app[.]asana[.]com/0/accept-invite/, app[.]asana[.]com/0/auth/register/ | Legitimate Asana infrastructure |
| DKIM domains | asana[.]com, amazonses[.]com | Both signatures valid |
| SPF result | pass (54[.]240[.]65[.]107 authorized for asana[.]com) | Amazon SES in Asana's SPF record |
| DMARC result | pass (policy for asana[.]com) | Full alignment |
| Attack | What happened |
|---|---|
| The Phishing Infrastructure Was Canva. The Delivery Mechanism Was Canva. The Authentication Was Canva. | An attacker signed up for Canva, built a phishing lure as a design, and used the platform's own sharing feature to deliver it. |
| The B2B Content Marketing Email That Borrowed a Brand, a Relay Allow-List, and a Security Vendor's Own URL Wrapper | A polished B2B research report offer used SelectHub branding, passed through an allow-listed mail relay at SCL -1. |
| The Email That Passed Every Security Check (Because Adobe Sent It) | A phishing campaign targeting school district staff used Adobe's own sending infrastructure, real DKIM signatures. |
| The Datadog Alert That Came From the Wrong Domain: Authenticated Brand Impersonation With All Links Pointing to Real Infrastructure | A fully authenticated Datadog monitor alert arrived from dtdg.co, not datadoghq.com. |
| When the Sender Domain Is Also the Phishing Kit Host: Dual-Purpose Domain Compromise | An attacker compromised a legitimate manufacturing company domain and used it two ways at once: as the authenticated sending address and as the host for... |