The Password Reset That Passed Every Security Check

The email arrived with the subject line "IMPORTANT : CTI Service Now Portal Password Set up Instructions," addressed the recipient by name, and carried the logo of an insurance-technology company the recipient worked for every day. It looked exactly like what ServiceNow password-setup emails look like, because it was sent by ServiceNow's actual infrastructure.

SPF: pass. DKIM: pass. DMARC: pass. The sending IP, 148.139.2.2, belongs to outbound35[.]service-now[.]com. The DKIM signature validates against service-now.com. The Received chain reads from an internal ServiceNow application server in London, through ServiceNow's outbound relay, to Microsoft's mail protection layer, and finally into the recipient's inbox. There is a genuine X-ServiceNow-Source header stamped by ServiceNow itself. No SEG on earth has a rule to flag this.

The single call to action: click to set your password via a URL on the ctinsuretech.service-now.com subdomain.

The Architecture That Made This Invisible to Filters

ServiceNow operates on a multi-tenant model. Every customer tenant lives on a subdomain of service-now.com. When ServiceNow's notification engine sends email on behalf of a tenant, it uses service-now.com's authenticated sending infrastructure, which means every piece of email those tenants generate inherits the platform's DMARC pass.

Attackers have learned to exploit this architecture. They provision a tenant. They name it something plausible, in this case something that echoes insurance-technology branding. They configure a notification that looks like a legitimate password-setup workflow, addressed to a real target by name. Then they pull the trigger, and the email travels through ServiceNow's own servers, authenticated, branded, and indistinguishable from a genuine tenant notification to any system evaluating headers alone.

The credential-capture flow at hxxps://ctinsuretech[.]service-now[.]com/$pwd_reset[.]do?sysparm_url=ss_default is a classic harvest: enter your email, verify your identity, create a new password. The page is served from a legitimate ServiceNow instance, with a valid certificate, under a trusted domain. IRONSCALES could not independently verify that the tenant "ctinsuretech" belongs to any actual insurance-technology firm. It may be attacker-created. It may be compromised. From the recipient's position, there is no way to tell.

This is credential harvesting engineered for the era of SaaS-everywhere environments, where the trusted platform's brand does more to establish legitimacy than any forged sender address ever could.

What the Recipient Saw

The email included a clean 94KB PNG banner. The text addressed the recipient by name. The urgency was calibrated, "IMPORTANT" in the subject, but not alarming. The List-Unsubscribe header pointed back to the ctinsuretech tenant, adding another layer of verisimilitude. The email hit four mailboxes at the organization, including a senior staff accountant and their manager, a sign of targeted delivery rather than spray-and-pray.

See Your Risk: Calculate how many threats your SEG is missing

The Verizon DBIR 2026 puts phishing as the initial access vector in 16% of breaches, but cases like this one reveal why that number undersells the category. When phishing can arrive with a perfect authentication record from a globally recognized SaaS platform, the denominator of "email threats that scanning infrastructure can detect" shrinks considerably. The Microsoft Digital Defense Report 2024 documents the parallel pattern in legitimate cloud service abuse, where attackers route attacks through trusted platforms specifically to defeat perimeter defenses.

The Attacker's Structural Advantage

MITRE ATT&CK maps this across three techniques. T1566.002 covers the spear phishing link delivery. T1078.004 describes valid cloud account abuse, the attacker using legitimate cloud platform resources rather than infrastructure they had to build themselves. T1656 covers impersonation, the deliberate construction of an email that mimics a genuine organizational service request.

The combination is particularly efficient because it requires no domain registration with a lookalike name, no compromised sending account, no custom infrastructure to spin up and manage. The attacker gets all of ServiceNow's trust signals for the cost of a tenant subscription.

The IBM Cost of a Data Breach 2024 puts the average breach cost at $4.88 million. Credential theft is consistently the highest-frequency initial access pathway. Attacks like this one are among the reasons why: they achieve high-quality credential access with minimal operational overhead, through channels defenders have trained their users to trust.

Where Behavioral Detection Changes the Equation

IRONSCALES flagged this email not by finding a failed authentication check, because there was none, but by evaluating what authentication cannot measure. The tenant had never contacted this organization before. The request was unsolicited: no prior interaction, no established relationship, no plausible reason for the recipient to be activating a ServiceNow portal account on this day. The credential-entry flow was contextually anomalous. The tenant identity was unverifiable.

That is the detection gap that the IRONSCALES AI platform is built to close. Adaptive AI reads the relationship context, the sending history, the behavioral baseline, and the request semantics in parallel. A password-reset from a first-contact tenant on an authenticated platform is not a technical violation. It is a behavioral one. Themis, the platform's agentic AI analyst, identified the VIP recipient signal and surfaced the case for review. The email was flagged before credentials were entered.

What Defenders Should Watch For

The CISA phishing guidance at https://www.cisa.gov/secure-our-world/recognize-and-report-phishing emphasizes skepticism about unsolicited credential requests regardless of apparent sender legitimacy. That advice is more important than ever when the sender's legitimacy is real but the tenant behind it is not.

Defenders running SEG-based environments should recognize that authentication pass rates are now a floor, not a ceiling, for what reaches inboxes. SaaS-tenant attacks satisfy every gateway check by design. The NIST phishing definition centers on deceptive communication, and an unverifiable tenant sending a credential-entry flow qualifies regardless of its DMARC alignment.

Security teams evaluating credential harvesting protection capabilities should explicitly test against SaaS-tenant delivery patterns. A tool that relies on authentication signals alone will score this attack as clean.

Defanged IOC Table

The FBI IC3 2024 Annual Report (https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf) tallied over $16 billion in reported cybercrime losses last year. Credential theft is the thread that runs through most of the high-value categories: BEC, investment fraud, ransomware. Cases like this one illustrate why those losses are hard to stop at the perimeter. When the perimeter's primary defense mechanism, email authentication, is what the attacker uses as cover, the only effective countermeasure is a layer that understands behavior, not just headers.