TL;DR An attacker sent a pixel-perfect Microsoft Teams meeting notification that named the recipient's organization in the display name while sending from an unrelated Japanese domain. The call-to-action button, wrapped in Microsoft SafeLinks, resolved to an AWS Lambda function URL rather than any Microsoft infrastructure. Footer links pointed to legitimate microsoft.com pages to create false trust. No DKIM. No DMARC. The organizational mismatch and Lambda destination were the tells that authentication alone could not surface.
Severity: High Credential Harvesting Brand Impersonation Safelinks Bypass MITRE: {'id': 'T1566.002', 'name': 'Phishing: Spearphishing Link'} MITRE: {'id': 'T1656', 'name': 'Impersonation'} MITRE: {'id': 'T1583.006', 'name': 'Acquire Infrastructure: Web Services'}
The meeting invite arrived looking exactly like the Teams notifications that land in corporate inboxes dozens of times a day. The display name read "Bastiansolutions Meeting," referencing the recipient's organization by name. The format matched Microsoft's own notification template: a truncated Meeting ID, a date stamp, and an "OPEN" button rendered in Microsoft blue. The footer carried links to microsoft.com's privacy and terms pages. Nothing about the visual layout raised a flag.
Underneath the familiar packaging, every technical signal pointed somewhere else entirely.
The Sender Had Nothing to Do With Microsoft or the Recipient's Organization
The From address was s.takahashi@monado[.]co[.]jp, a domain registered in 2003 belonging to MONADO Corporation, a Japanese entity with no documented relationship to industrial automation or to the recipient organization. The display name, "Bastiansolutions Meeting," was wholly fabricated.
The domain's SPF record was present, which provided a passing SPF result. But there was no DKIM signature and no DMARC record. The absence of DKIM means no cryptographic binding between the message content and the sending domain. The absence of DMARC means monado[.]co[.]jp had published no enforcement policy whatsoever. An attacker sending from a domain with SPF but no DKIM and no DMARC has exactly the authentication posture needed for this kind of display-name impersonation: enough authentication to pass basic filters, not enough to constrain who can name the sending domain in the display name.
The sender had no prior relationship with the recipient organization. No person search match existed for s.takahashi@monado[.]co[.]jp.
SafeLinks Wrapped the CTA. The Destination Was Not Microsoft.
The "OPEN" button, the primary call-to-action in the email, was wrapped in a Microsoft SafeLinks rewrite. That wrapping is itself a trust signal many recipients interpret as confirmation that a link has been scanned. It has not been blocked, therefore it must be safe.
The SafeLinks destination resolved to a credential harvesting page hosted at qb6oyttnfl44ojnui5hb6a4uma0tcxvo.lambda-url.us-east-1.on[.]aws, an AWS Lambda function URL. Lambda function URLs are auto-generated subdomains under Amazon's infrastructure. They carry the implicit reputation of Amazon Web Services without any relationship to legitimate Microsoft authentication services.
This is a deliberate choice by the attacker. Serverless function URLs on major cloud providers (AWS Lambda, Azure Functions, Google Cloud Run) are cheap to provision, carry inherited cloud-provider reputation, and have no prior blocking history at the moment of first use. A SafeLinks scan encountering a fresh Lambda URL with no existing malicious verdict may pass it without intervention.
The footer links in the email, by contrast, pointed to genuine microsoft[.]com pages. Privacy policy. Terms of service. Real URLs, real destinations. This is textbook trustbaiting: embedding high-reputation links alongside the malicious CTA to make the message read as legitimate on a surface scan.
The meeting metadata reinforced the illusion. The Subject included a truncated Meeting ID formatted as "914 ," consistent with how Teams obscures full meeting identifiers in notifications. The body text read, "This notification has been sent to you because you did not respond to a meeting invitation." The date format used "Feb/03/2026," an atypical but plausible rendering. Every detail was calibrated to pass a human quick-read.
What Authentication Did Not and Cannot Tell You
The SPF pass for monado[.]co[.]jp confirmed that the sending IP was authorized to send on behalf of that domain. It said nothing about whether that domain had any relationship to the recipient organization, to Microsoft, or to any meeting invitation the recipient might have expected. Authentication answers "was this authorized to send from this domain?" It does not answer "is this email what it claims to be?"
The mixed link destination pattern, where the CTA routes to Lambda infrastructure while the footer links route to legitimate Microsoft domains, is not detectable through authentication results or URL reputation alone. It requires analyzing the relationship between what the email claims to be (a Microsoft Teams notification) and where the primary action actually leads (a serverless AWS endpoint with a randomized 32-character subdomain).
Themis, the IRONSCALES Adaptive AI engine, flagged this email based on the behavioral fingerprint: display-name impersonation of the recipient organization, sender with no prior relationship, and a primary link destination inconsistent with the claimed sender identity. The Lambda URL pattern, combined with the SafeLinks wrapper creating a false sense of pre-clearance, is a technique that recurs across the IRONSCALES community threat feed.
Why Teams Lures Keep Working
Microsoft Teams is now central infrastructure at most organizations. Notification volume is high. The visual template is familiar enough that recipients process the format, not the content. An attacker who can clone the notification layout and insert a plausible meeting reference only needs one click to begin credential collection.
The absence of DKIM and DMARC on the sending domain is the earliest technical indicator available to defenders. Domains with SPF only and no DMARC enforcement are a known attacker preference for exactly this reason.
See Your Risk: Calculate how many threats your SEG is missing
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sending Domain | monado[.]co[.]jp | Legitimate Japanese domain, no relationship to recipient org |
| Sender Address | s.takahashi@monado[.]co[.]jp | From address used for display-name impersonation |
| Lambda URL | qb6oyttnfl44ojnui5hb6a4uma0tcxvo.lambda-url.us-east-1.on[.]aws | Credential harvesting endpoint behind SafeLinks rewrite |
| SPF Include | spf.secure[.]ne[.]jp | SPF infrastructure for monado.co.jp |
| DKIM | Absent | No DKIM selectors published |
| DMARC | Absent | No _dmarc.monado[.]co[.]jp record |
MITRE ATT&CK Mapping
| Technique | ID | Relevance |
|---|
| Phishing: Spearphishing Link | T1566.002 | Teams lure with malicious Lambda URL wrapped in SafeLinks |
| Impersonation | T1656 | Display name matched recipient organization name |
| Acquire Infrastructure: Web Services | T1583.006 | AWS Lambda serverless function used as harvesting endpoint |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
