The email looked like every other Autotask ticket notification the IT team had ever received. Same formatting. Same "General Ticket Information" block. Same ticket link at the bottom. The difference: the subject line screamed "Mailbox Login Expire today" while the ticket body contained a Slovak-language conversation about festival accreditation that had nothing to do with mailbox credentials.
SPF passed. DKIM passed. DMARC passed. Microsoft assigned compauth=100 and SCL=-1. By every protocol-level measure, this was a legitimate email from a legitimate server.
It was not.
The attack exploited Autotask, the Professional Services Automation (PSA) platform owned by Datto/Kaseya and used by thousands of managed service providers worldwide. Autotask handles ticketing, client communications, and automated notifications for MSP operations. When a ticket is created or edited, Autotask's mail servers send formatted notification emails on behalf of the MSP's domain.
That is exactly what happened here. The attacker created (or manipulated) a ticket in an MSP's Autotask tenant. The ticket carried the title "ATTN : Mailbox Login Expire today, 4/16/2026" paired with a fabricated urgency hash (fa8c7b981610f3bda133aca4e3f75cf3a41f60e1) designed to look like a system-generated reference. Autotask's mail relay (phl-p-mail03[.]autotask[.]net, IP 8[.]34[.]161[.]203) then delivered the notification to multiple internal mailboxes as a routine ticket update.
Because the MSP's SPF record explicitly includes autotask.net as an authorized sender, and Autotask applies DKIM signatures using a selector registered on the MSP's domain (s=autotask), the message sailed through every authentication gate. Microsoft's composite authentication scored it 100 out of 100.
The FBI's 2024 Internet Crime Report documented $2.9 billion in BEC losses. Attacks that exploit trusted service provider infrastructure represent a growing subset of that figure, because they arrive pre-authenticated and pre-trusted.
Layer 1: Trusted infrastructure. The Autotask notification template is instantly recognizable to anyone working in an MSP-managed environment. Ticket number (T20260416.0029), account name, queue assignment, priority level, due date. All rendered in the standard Autotask format. Recipients who process dozens of these notifications daily have been conditioned to treat them as routine.
Layer 2: Urgency injection. The subject line ("Mailbox Login Expire today, 4/16/2026") is the only English-language content that directly addresses the recipient. It creates a same-day deadline. The ticket's due date field reinforced this: 04/17/2026 17:00 ET, one day out.
Layer 3: Credential prompt as destination. Every link in the email pointed to ww14[.]autotask[.]net, a legitimate Autotask multi-tenant host. The primary link routed to Autotask's authentication controller (/Mvc/Framework/Authentication.Mvc/Authenticate), which presents a login form. For a recipient primed by the "mailbox expiry" subject to expect a credential prompt, the login page confirmed their expectation. The attack weaponized a real authentication page as the credential harvesting surface.
See Your Risk: Calculate how many threats your SEG is missing
This maps to MITRE ATT&CK T1566.002 (Phishing: Spearphishing Link), T1078 (Valid Accounts, as the likely objective), and T1199 (Trusted Relationship, exploiting the MSP-client trust chain).
The ticket body exposed the attack's sloppiness. Instead of a coherent mailbox expiry notice, it contained a forwarded Slovak-language email thread between two individuals discussing festival accreditation logistics, partner passes, production staff counts, and wristband distribution procedures. The conversation referenced an Instagram reel, event scheduling hours, and parking allocations.
None of this had any connection to mailbox credentials.
This content-subject mismatch is a hallmark of ticket injection attacks: the attacker controlled the ticket title (which becomes the email subject) but populated the ticket body with whatever content was available, likely from a compromised or scraped email thread. The result is a message where the subject line says one thing and the body says something entirely unrelated.
IRONSCALES community intelligence, drawing on reports from over 35,000 security professionals, flagged similar incidents as phishing. The behavioral signals were clear: an internal-domain sender using a non-verifiable display name ("Pia Api"), a ticket body written in a language inconsistent with the organization's operational language, and an urgency-laden subject line disconnected from the ticket content. Microsoft's protocol-level evaluation saw compauth=100. Behavioral analysis saw a contradiction.
Four mailboxes received the message. All four were quarantined.
The Verizon 2024 DBIR found that credential theft remains the top action variety in breaches, appearing in 24% of all incidents. Attackers are increasingly creative about where they source those credentials. Platforms like Autotask, ConnectWise, and other PSA tools represent high-value relay points because:
IRONSCALES platform data shows that 67.5 phishing emails per 100 mailboxes per month bypass traditional secure email gateways. Attacks that leverage authenticated MSP infrastructure are disproportionately represented in that bypass rate because SEGs evaluate sender reputation and authentication status, both of which appear clean for PSA-relayed messages.
For MSPs: Audit your Autotask/ConnectWise tenant access controls. Restrict ticket creation to authenticated internal users. Monitor for tickets with subject lines containing credential urgency keywords ("expire," "password," "verify," "suspend") that do not match the ticket body content. Review which external email addresses can create tickets via the Incoming Email Processor.
For MSP clients: Do not trust email authentication results as a proxy for content safety. Implement behavioral analysis that evaluates content-subject coherence, language consistency, and sender pattern anomalies. Flag ticket notifications that contain urgency language in the subject but unrelated content in the body.
For all organizations: Treat PSA platform notifications with the same scrutiny applied to any other email. The trust model that makes these platforms operationally useful is the same trust model that makes them attractive to attackers.
| Type | Indicator | Context |
|---|---|---|
| Sending IP | 8[.]34[.]161[.]203 | Autotask mail relay (phl-p-mail03[.]autotask[.]net) |
| DKIM Selector | autotask | DKIM signing selector on sender domain |
| URL | hxxps://ww14[.]autotask[.]net/Mvc/Framework/Authentication[.]Mvc/Authenticate | Authentication controller used as credential prompt |
| URL | hxxps://ww14[.]autotask[.]net/Autotask/AutotaskExtend/ExecuteCommand[.]aspx?Code=OpenTicketDetail&TicketId=32814 | Ticket detail link in notification footer |
| Display Name | Pia Api | Non-verifiable persona used as initiating resource |
| Ticket ID | T20260416.0029 | Fabricated ticket number in subject line |
| Language | Slovak (sk) | Body language inconsistent with English-language subject and organization |