TL;DR Attackers sent a convincing AT&T Business customer satisfaction survey from a third-party campaign management platform, using a subdomain that passed SPF, DKIM, and DMARC for its own infrastructure. The sender was never AT&T. The CTA link was flagged malicious. Privacy links in the email body displayed att.com text but resolved through the attacker's click-tracking infrastructure, hiding the actual destination. A cluster of related campaign domains shared the same Cloudflare-proxied infrastructure. The email headers showed a November 2025 send date, suggesting delayed analysis or forward delivery.
Severity: High Brand Impersonation Credential Harvesting Esp Abuse MITRE: {'id': 'T1566.002', 'name': 'Phishing: Spearphishing Link'} MITRE: {'id': 'T1656', 'name': 'Impersonation'} MITRE: {'id': 'T1583.001', 'name': 'Acquire Infrastructure: Domains'}
The email looked like a legitimate AT&T Business customer satisfaction survey. It offered a $25 Visa Virtual Account for six to eight minutes of feedback. It had an AT&T logo, AT&T branding, a deadline of December 10, 2025, and a reference to a research vendor called "Convey." The From display name was "AT&T Business."
The actual sender had nothing to do with AT&T.
Authentication Passed. The Sender Was Not AT&T.
The sending address was noreply@ATTCustomerCareSurvey[.]mbcampaign[.]com. The SPF, DKIM, and DMARC records all passed for mbcampaign[.]com, the base domain that the sending subdomain belonged to. That authentication was technically correct: mbcampaign[.]com was authorized to send mail from that infrastructure.
AT&T never authorized mbcampaign[.]com to send on its behalf. The authentication chain verified the campaign platform's identity, not the impersonated brand's identity. This is the structural gap that email spoofing via third-party platforms exploits. Every authentication result was accurate for the domain that sent the message. None of them said anything about whether that domain was permitted to present as AT&T Business.
mbcampaign[.]com was registered through Namecheap with WHOIS privacy protection in 2009. It used Cloudflare nameservers and was Cloudflare-proxied, meaning the actual hosting infrastructure was hidden behind Cloudflare's IP space. The email relay was o18[.]notif01[.]mbcampaign[.]com at 198[.]37[.]152[.]25, delivering into a Microsoft 365 environment.
The Infrastructure Cluster
The campaign platform infrastructure was not a one-off domain. Three related domains formed a coordinated cluster:
mbcampaign[.]com: The primary campaign management domain, registered 2009.mbdt01[.]com: The destination domain in the survey CTA URL. DMARC was set to p=none. No DKIM selectors were discoverable. SPF included sendgrid.net, suggesting SendGrid as a secondary sending path.mymbnet[.]com: A third related domain sharing infrastructure characteristics with the other two.
The CTA link pointed to attcustomercaresurvey[.]mbdt01[.]com/index[.]php, which was flagged malicious in threat intelligence feeds. This is the convergence point for the attack: a convincingly branded AT&T survey email that routes through authenticated campaign infrastructure to a malicious PHP endpoint on a different domain with weaker authentication configuration.
The infrastructure cluster pattern is significant for defenders. When one domain in a cluster is flagged, the others carry elevated risk. The relationship between mbcampaign[.]com, mbdt01[.]com, and mymbnet[.]com is not publicly documented, but their shared technical characteristics suggest coordinated operation.
The Privacy Link Misdirection
One detail in this email was particularly deliberate. The footer contained a privacy policy link with display text showing att[.]com. The actual href behind that text resolved through mbcampaign[.]com click-tracking infrastructure, not to AT&T's privacy policy.
This technique exploits how most email clients render hyperlinks. The visible text is what the recipient reads. The underlying URL is what actually executes on click. A recipient glancing at the footer sees "att.com" and understands that link as a signal of legitimacy, validating their assumption that the email is genuinely from AT&T. Clicking it would route through attacker-controlled tracking infrastructure.
This is not an accident of email formatting. It is a deliberate social engineering element designed to reinforce brand legitimacy at exactly the moment a cautious reader would look for it. The footer of a message is where users look to validate an email's authenticity. Placing a familiar domain name in visible link text while routing the click elsewhere is a targeted counter-measure against that validation behavior.
See Your Risk: Calculate how many threats your SEG is missing
Behavioral Detection on a Structurally Complex Attack
This attack had several layers of technical complexity working in its favor. Subdomain authentication passed legitimately. The sending domain was 16 years old with Cloudflare infrastructure. The visual branding was accurate. The footer appeared to reference AT&T's own domains. None of this would trigger signature-based or reputation-based filtering.
Themis, the Adaptive AI engine, flagged the message based on the behavioral and structural signals that authentication could not surface. The sender domain (mbcampaign[.]com) had no prior relationship with the recipient organization. The display name claimed AT&T while the sending domain bore no relation to AT&T's registered sending infrastructure. The CTA destination was a different domain from the sender, with weaker authentication posture (DMARC p=none, no DKIM) and an endpoint already flagged malicious. The privacy link display text mismatched its actual href.
Together, these signals constitute a credential harvesting pattern that is invisible to authentication-only analysis. The campaign platform was clean. The destination was not. The link between them was designed to be invisible to scanning that evaluated the first hop only.
The email headers showed a send date of November 11, 2025, while analysis occurred in August 2025 in the case timeline. This suggests either delayed analysis of a forward-delivered message or a misdated header, both of which are not unusual in complex relay chains. The underlying attack pattern is the same regardless of the exact send date.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sending Domain | mbcampaign[.]com | Third-party campaign platform; Cloudflare-proxied |
| Sending Subdomain | ATTCustomerCareSurvey[.]mbcampaign[.]com | Mimics AT&T brand in subdomain name |
| Sending Relay | o18[.]notif01[.]mbcampaign[.]com | Campaign relay IP 198[.]37[.]152[.]25 |
| CTA Domain | mbdt01[.]com | DMARC p=none; no DKIM; SPF includes sendgrid.net |
| Malicious URL | attcustomercaresurvey[.]mbdt01[.]com/index[.]php | Flagged malicious; survey CTA destination |
| Related Domain | mymbnet[.]com | Shares infrastructure with campaign cluster |
| Privacy Link Misdirect | Display: att[.]com / Actual: mbcampaign[.]com redirect | Hidden click-tracking behind AT&T display text |
MITRE ATT&CK Mapping
| Technique | ID | Relevance |
|---|
| Phishing: Spearphishing Link | T1566.002 | Survey CTA routes through authenticated campaign platform to malicious endpoint |
| Impersonation | T1656 | AT&T Business display name and branding used from non-AT&T sender |
| Acquire Infrastructure: Domains | T1583.001 | Coordinated domain cluster (mbcampaign, mbdt01, mymbnet) operating as campaign infrastructure |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
