TL;DR An email originating from an authenticated Vietnamese education domain passed SPF, DKIM, and composite authentication. Its body discussed student application files and missing documents for overseas study placement -- professional, personalized, and low-pressure. Embedded in the administrative text was a link to a study-abroad domain flagged malicious by automated scanning. Attached to the message was a spreadsheet listing student applicants, alongside screenshots showing uploaded identification documents. The message combined a trusted authenticated sender, a scam landing domain, and high-impact student PII in a single delivery.
Severity: High Social-Engineering Impersonation Phishing MITRE: T1566.001 MITRE: T1656 MITRE: T1589.002
The email read like normal enrollment correspondence. The body was professionally written in Vietnamese, with references to student application files, questions about missing documents and conditional offers, a signature block consistent with an educational institution. The sending domain authenticated correctly: SPF passed, DKIM passed, composite authentication returned pass across all checks.
Inside that routine-looking message was a link to a study-abroad domain that automated scanning flagged malicious. Attached were a spreadsheet listing student applicants and screenshots showing uploaded identification documents. The combination of authenticated sender, impersonation of legitimate admissions workflow, and real student data as attached lure is more dangerous than any single element alone.
Why This Lure Works So Well on Staff
These administrators process hundreds of legitimate messages about international student placements. Application status, missing documents, conditional offers, follow-up requirements from receiving institutions -- all of it is routine, expected, and time-sensitive. The social engineering in this campaign is calibrated to that operational context.
The message body contained no direct credential request, no payment instruction, and no urgent financial language. Themis flagged the sender risk as high based on the external-origin combined with the malicious link, but the body text itself would pass a casual content review. The lure relies on operational trust -- recipients who manage overseas placement programs are conditioned to process exactly this type of correspondence without elevated suspicion.
The sending domain is a Vietnamese education organization with authenticated mail infrastructure: its domain signs DKIM and passes SPF through a Vietnamese commercial email relay. No DMARC record was published, which removes enforcement but does not itself indicate compromise. Whether the account was compromised or the sender was complicit in the campaign, the authenticated origin gave every receiving gateway a clean pass signal.
MITRE ATT&CK T1566.001 covers spearphishing links. T1656 (impersonation) captures the use of an education institution's identity and correspondence format to lower recipient suspicion. T1589.002 (gather victim identity information: email addresses) applies to the broader campaign pattern where recipient engagement validates active mailboxes for further targeting.
The Malicious Domain in the Admissions Thread
Embedded in the body was a link pointing to a Vietnamese-language study-abroad domain: hxxp://duhocphilippines[.]vn/. Automated analysis could not retrieve content from this domain. DNS resolved but the HTTP endpoint returned no content; no PTR reverse record existed for the hosting IP; no DMARC, DKIM, or MX infrastructure was found. The domain name matched the overseas-study theme of the email body precisely.
This combination -- scam-themed domain name, no live infrastructure, no reverse-record -- produced a malicious verdict and a block recommendation. A second study-abroad domain appeared in the message (defanged: hxxp://duhocsingapore[.]vn/) but the analysis pipeline did not return a full scan result for it; treat as untrusted until independently verified.
Neither domain was presented with an explicit call to action in the text. Links embedded within professional administrative correspondence do not require overt urgency to generate clicks. Enrollment staff following up on a student placement inquiry are likely to access every linked resource in the message as part of normal workflow.
See Your Risk: Calculate how many threats your SEG is missing
Student Records as Payload Amplifier
The attached spreadsheet carried a filename referencing a named student follow-up list for a specific academic program. The incident scanner returned a clean verdict for the file -- no macros, no VBA, no active content detected. The images attached to the message, including a screenshot, showed upload UI fields and identity-document filenames consistent with a student application system.
The PII exposure risk here is not from a malicious macro. It is from the attachment's content. A spreadsheet listing student applicants by name and status, combined with screenshots showing uploaded identification, is a high-value data asset if exfiltrated or used to craft targeted follow-up social engineering. This is why case 2 student data has been fully anonymized in this writeup: no names, file contents, institution names from the spreadsheet, or passport details from any screenshot appear anywhere in this post.
For organizations that manage international student placements, this case illustrates a specific risk class: phishing lures that carry real institutional data as content, not just as pretext. The data in the attachment was not fabricated. It was part of the operational environment of the target organization -- which means the sender had prior access to it, whether through compromise or insider involvement.
Authentication Does Not Equal Safety
The relay chain traversed Vietnamese commercial mail infrastructure into Microsoft's inbound protection layer, with DKIM signing for the education domain at every hop. Authentication results were consistent and clean. No authentication failure contributed to the detection of this message as malicious.
IRONSCALES flagged the combination: authenticated first-time external sender at elevated risk, malicious-verdict link inside a professionally composed body, and student PII in the attached documents. No single element would have triggered a block in isolation. The converging signals -- sender risk, link verdict, attachment content classification -- produced the phishing determination.
The structural lesson for email security teams is that authentication coverage and content-risk coverage are separate control planes. A message can fully pass SPF, DKIM, and composite authentication and simultaneously carry a flagged-malicious link inside body text that reads like legitimate operational correspondence.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| URL | hxxp://duhocphilippines[.]vn/ | Flagged malicious; unreachable; no PTR/MX/DMARC infrastructure; overseas-study scam theme |
| URL (unscanned) | hxxp://duhocsingapore[.]vn/ | Present in message body; not fully scanned; treat as untrusted |
| Sender domain | Vietnamese education domain (authenticated), name withheld | SPF pass; DKIM pass (d=eduzone[.]vn); composite auth pass; no DMARC published; possible compromise |
| Attachment | Student applicant spreadsheet (Excel format, ~10 KB) | Scanner verdict clean; contains real student PII; treat as quarantined until independently re-scanned |
| Images | Screenshots showing student identification upload UI | Contains identity-document filenames and upload form fields; high PII sensitivity |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
