A major gold mining corporation does not solicit vendor bids through a Hotmail-era consumer ISP connection, with no email authentication configured, from a domain registered in secret. Yet that is exactly what arrived at a mortgage banking firm claiming to be from Barrick Gold Corporation.
In late March 2026, multiple staff members at a regional bank received procurement solicitation emails purporting to be from a purchasing manager at Barrick Gold, one of the world's largest gold producers. The emails requested quotes for 41 procurement items and attached a bid specification PDF. The sending domain was barricksg[.]com. Barrick Gold's actual domain is barrick[.]com. The difference is designed to be easy to miss.
The attacker constructed a dual-domain infrastructure for this campaign. The From address used barricksg[.]com (sending). The Reply-To and quote submission address used purchase@barricksgold[.]com. Both domains have no public WHOIS registration data. This is the same zero-attribution pattern seen in other vendor email compromise campaigns: the attacker creates domains that visually approximate the real brand, keeps them off the public registry radar, and uses the sending domain for delivery while routing replies to a separate collection domain.
The real Barrick domain is barrick[.]com, a single-word domain registered in the 1990s with full public WHOIS records and proper corporate authentication. The attacker's variants (barricksg and barricksgold) both drop the period after "barrick" and append a suffix that plausibly abbreviates "Barrick Singapore" or extends to "Barrick Gold," two expansions that a recipient unfamiliar with Barrick's domain portfolio might accept as legitimate business unit domains.
See Your Risk: Calculate how many threats your SEG is missing
The sending IP address traced to 102[.]176[.]194[.]64, assigned to a hostname indicating a home or consumer network (DESKTOP-0CH0OV1[.]www[.]tendawifi[.]com). Tenda is a consumer Wi-Fi router brand widely distributed in Africa and Southeast Asia. This suggests the email originated from a personal or compromised device rather than a corporate mail server.
A second relay hop (193[.]47[.]83[.]154) resolved to KA-DVLA.katfm[.]co[.]uk, a small UK hosting domain registered in 2006 with no connection to Barrick Gold. No PTR record exists for either IP, meaning neither can be reverse-resolved to a verifiable mail server identity. Legitimate corporate mail infrastructure invariably has PTR records configured, a basic deployment requirement that enterprise mail operators follow.
SPF, DKIM, and DMARC were all absent. The authentication result headers show spf=none, dkim=none, and dmarc=none with compauth=none reason=405. There is no configuration at barricksg[.]com that designates any sending hosts, and no DKIM selector or DMARC policy is published. This is the authentication profile of a domain that was registered and immediately used for fraud without any operational investment in legitimate mail infrastructure.
The Verizon DBIR 2026 attributes a significant share of BEC losses to vendor impersonation scenarios exactly like this one. The FBI IC3 2024 report (FBI) recorded over $2.9 billion in BEC losses in 2024, with procurement and vendor fraud among the highest-value categories.
The email passed through a Votiro content disarm and reconstruction (CDR) gateway before reaching the recipient's Microsoft 365 mailbox. CDR technology strips active content from documents to prevent malware delivery. The attached PDF, named "BID DMain.pdf," was processed and passed as clean. CDR does a specific job well: it neutralizes executable threats in documents. It does not evaluate whether the identity sending the document is legitimate.
This is the fundamental gap in attachment-focused security controls. The document itself may be entirely benign, a bid form or a cover sheet, designed to establish the pretext for a follow-on transaction rather than to deliver malware. The fraud is in the sender identity and the downstream response it solicits, not in the file.
The SCL (spam confidence level) assigned before the Votiro relay was 5 with category PHISH, meaning Microsoft's spam filters recognized the message as high-risk. After the Votiro relay, the SCL was reset to -1, placing the message in a "safe" disposition. This is a known dynamic where CDR gateways configured as trusted relay hops can inadvertently override upstream spam decisions.
| Type | Indicator | Context |
|---|---|---|
| Domain | barricksg[.]com | Attacker sending domain; no WHOIS, no SPF/DKIM/DMARC |
| Domain | barricksgold[.]com | Attacker reply-to and quote collection domain |
bakhi@barricksg[.]com | Attacker From address, display name "Mr.Beiteliov" | |
quote@barricksgold[.]com | Attacker Reply-To (quote submission target) | |
| IP | 102[.]176[.]194[.]64 | Origin IP (consumer ISP, Africa, no PTR) |
| IP | 193[.]47[.]83[.]154 | Relay hop (katfm[.]co[.]uk, no PTR) |
| File | BID DMain.pdf | Bid specification lure (MD5: 229e89d4b7a13c4fd2da1751fcc447a3) |
The MITRE ATT&CK framework classifies this as spearphishing with an attachment combined with domain masquerading. For organizations that receive procurement or vendor communications, the key controls are in the procurement workflow, not only in the mail filter.
Every new vendor solicitation should be verified against the vendor's published corporate domain before any response is sent. A quick check of barrick[.]com against barricksg[.]com in the browser's address bar reveals no matching domain infrastructure. Procurement staff should be trained to treat any unsolicited bid request, regardless of how legitimate the attached document looks, as requiring domain verification before engagement.
Business email compromise protection platforms that evaluate domain similarity against known corporate identities provide automated coverage for this verification step, flagging lookalike domains that differ from known entities by common abbreviation or suffix-addition patterns. IRONSCALES platform data shows over 17,000 customers using this class of detection. In this case, Themis flagged the message based on suspicious content patterns and sender anomalies, enabling quarantine before any staff member could engage with the fake procurement contact.
The IBM Cost of a Data Breach 2024 report makes the cost of this category of attack concrete: a single successful vendor fraud transaction can exceed the annual cost of the email security investment required to stop it. CISA's phishing guidance recommends verifying vendor identity through independently sourced contact information, not through email thread context, before processing any procurement response. NIST defines phishing to include deceptive vendor impersonation of this type. For organizations in financial services and regulated industries, manufacturing email security and sector-specific email controls provide additional coverage for the procurement-facing threat surface that this campaign specifically targeted.
| Attack | What happened |
|---|---|
| Three Domains, One Scam: The RFQ That Routed Replies to a Freshly Built Lookalike | An RFQ email passed SPF, DKIM, and DMARC through one domain, impersonated a construction supplier through a second. |
| A Security Vendor's URL Defense Became the Attacker's Best Disguise | Attackers hijacked a real supplier email thread and weaponized Proofpoint URL Defense to wrap five malicious links in trusted redirect tokens. |
| The DKIM Key That Was Too Small to Verify: When Cryptographic Weakness Becomes a Detection Gap | A BEC attack impersonated a VIP executive using exact display-name matching, requesting sensitive financial documents. |
| The CEO's Name Was Real. The Mailjet Account Behind It Wasn't. | An attacker impersonated the CEO of an email security company using a legitimate Mailjet ESP account with full SPF/DKIM pass. |
| The GitLab Alert That Passed Every Filter (Except One Detail Nobody Checked) | A GitLab sign-in alert cleared Proofpoint URL Defense and passed SPF/DMARC — then listed a private RFC1918 IP as the sign-in source. |