Every authentication check passed. SPF, DKIM, DMARC, compauth=100. The message arrived through a legitimate email service provider, carried valid cryptographic signatures, and landed from an authorized IP. And its entire purpose was to figure out who would open it.
We flagged an email targeting a VIP recipient at a cybersecurity company. The subject line read "Small Business Phone System Buyer's Guide." The body was a polished Yeastar-branded promotional page with download buttons, benefit callouts, and a physical mailing address in the footer. Nothing about it screamed phishing. But every single link in the message carried opaque tracking parameters designed to confirm that the recipient's mailbox was active, monitored, and engaged.
This was not a credential harvest. It was not malware delivery. It was list validation reconnaissance: the quiet first step that makes every subsequent attack more effective.
The sender domain, voip-prices[.]com, was registered through GoDaddy in November 2021 and has been active for over four years. The email was sent via SMTP.com (a commercial ESP) from IP 192[.]40[.]172[.]153, which is an authorized sender for the domain. Dual DKIM signatures covered both voip-prices[.]com and smtpmessage[.]com. DMARC alignment passed with action=none.
From an authentication standpoint, this email was indistinguishable from legitimate marketing. That is exactly the point.
Threat actors increasingly use legitimate ESPs as delivery vehicles because those platforms have established sender reputations, valid DNS records, and sophisticated deliverability infrastructure. According to the Verizon 2024 DBIR, pretexting (which includes reconnaissance-stage social engineering) accounted for over 40% of breach-related social actions. The initial recon email that validates a target list often looks exactly like this one.
The real payload was not on the landing page. It was in the URLs themselves.
Every link in the email body contained three tracking parameters:
contactId=23964828 (a numeric recipient identifier)shost=j60V6gqWLDFOj+eVoDbkXA== (a Base64-encoded host fingerprint)slink=hhREE+pL1xpe4E0ysq28Tg== (a Base64-encoded link identifier)These parameters serve one function: confirming that a specific recipient interacted with the message. The contactId ties the click to a known record in the sender's database. The shost and slink values add a second layer of opaque identification that survives link-stripping or parameter-cleaning by security tools.
The CTA links routed through track.smtpmessage[.]com via HTTP 302 redirects before landing on voip-prices[.]com. This redirect chain means the tracking infrastructure captures the click event at the ESP layer before the recipient ever reaches the destination. Even if the landing page itself is clean (and in this case, it was), the tracking hop has already confirmed the mailbox is live.
This maps to MITRE ATT&CK T1598 (Phishing for Information) and T1589.002 (Gather Victim Identity Information: Email Addresses). The goal is intelligence collection, not immediate exploitation.
See Your Risk: Calculate how many threats your SEG is missing
Despite full authentication, Microsoft 365 assigned this message SCL=5 (Spam Confidence Level) and a BCL of 8 (Bulk Complaint Level, on a 0-9 scale). The mailbox action was quarantine.
BCL=8 means the sender has a documented pattern of generating spam complaints. The Microsoft Digital Defense Report 2024 emphasizes that authentication alone cannot distinguish wanted from unwanted mail. Reputation signals like BCL exist precisely for cases where a sender is technically authorized but behaviorally problematic.
The X-Forefront-Antispam-Report header confirmed category SPM (spam) with the sender IP flagged as NLI (not on any known list), meaning Microsoft had no prior positive reputation for this IP despite the ESP relationship.
The Adaptive AI within our platform identified additional risk signals: the community had flagged similar messages as phishing with high confidence, and the sender was classified as high-risk based on cross-tenant behavioral analysis across 17,000+ customer environments. Themis rated the threat at 90% confidence. The combination of authenticated-but-untrusted infrastructure, opaque recipient fingerprinting, and community-corroborated sender patterns triggered automatic resolution.
This is what makes list validation attacks insidious. The email itself does nothing harmful. The landing page is a real marketing site with a real download form. If you evaluated this message in isolation, you might call it aggressive marketing.
But the FBI IC3 2024 Report documents that BEC and phishing losses exceeded $2.9 billion in 2023. Those attacks do not start with the wire transfer request. They start with emails exactly like this one, emails that confirm which addresses are live, which recipients click, and which organizations have security controls that let authenticated mail through unchecked.
The validated list becomes a targeting asset. Recipients who clicked get a spear-phishing attempt tailored to the content they engaged with. Recipients who opened but did not click get a different follow-up with higher urgency. Recipients who did neither get dropped from the list, saving the attacker resources. According to CISA's phishing guidance, reconnaissance is the most overlooked phase of the phishing kill chain because it produces no immediate visible damage.
The IBM Cost of a Data Breach Report 2024 found that organizations using AI-driven security tools detected breaches 108 days faster than those without. That speed gap matters most at the reconnaissance stage, where catching the validation probe prevents the exploitation attempt entirely. SEGs miss an average of 67.5 phishing emails per 100 mailboxes per month across the 1,921 organizations we have analyzed. When the recon email is the one that slips through, the targeted follow-up is already informed by what your users did.
Authenticated reconnaissance emails challenge every policy that trusts "DMARC pass" as a safety signal. Here is what to watch for.
Audit tracking parameters in inbound links. Opaque Base64 values, numeric contactId fields, and multi-hop redirect chains through ESPs are hallmarks of list validation. Your mail gateway logs these URLs. Use them.
Treat BCL as a leading indicator. A BCL of 7+ combined with first-time sender signals (NLI IP reputation) is a pattern worth escalating even when SPF/DKIM/DMARC are clean.
Correlate opens and clicks across your tenant. If the same sender fingerprint (in this case, SMTP.com Sender ID 9105819) hits multiple mailboxes with identical tracking structures, you are looking at a bulk validation campaign. Cross-mailbox behavioral analysis catches what per-message inspection misses.
Block or sandbox HTTP redirect hops. The tracking URLs in this campaign used hxxp:// (not HTTPS) for the initial redirect through track.smtpmessage[.]com. That cleartext hop is both a privacy risk and a detection opportunity.
Report, do not ignore. Quarantined reconnaissance emails are intelligence. Reporting them feeds community threat models and helps catch the follow-on campaign before it launches.
| Type | Indicator | Context |
|---|---|---|
| Domain | voip-prices[.]com | Sender domain, GoDaddy registration Nov 2021 |
| Domain | smtpmessage[.]com | ESP tracking infrastructure (SMTP.com) |
| Domain | track.smtpmessage[.]com | Redirect/tracking host for click validation |
| IP | 192[.]40[.]172[.]153 | Sending IP (mailer153.gate172.rs.smtp[.]com) |
info@voip-prices[.]com | Sender and Reply-To address | |
| URL | hxxp://track.smtpmessage[.]com/9105819/c?p=... | HTTP redirect hop with tracking payload |
| URL | hxxps://www.voip-prices[.]com/s/?contactId=23964828&shost=...&slink=... | Recipient fingerprinting URL |
| URL | hxxps://www.voip-prices[.]com/rs/small-business-phone-system-buyers-guide?contactId=23964828 | Final landing page with recipient ID |
| Header | X-SMTPCOM-Sender-ID: 9105819 | ESP account identifier for campaign attribution |
| Header | X-SMTPCOM-Tracking-Number: afab05b9-94d0-4c32-80fe-fda6be4d663f | Per-message tracking UUID |
| Header | Feedback-ID: 9105819:SMTPCOM | ESP feedback loop identifier |