TL;DR A classic payroll diversion BEC targeted the HR function at a cybersecurity company. The attacker impersonated a named executive, used a plain-text four-sentence body, and sent from a domain with a DKIM key that was published in DNS but never applied to the message. DMARC returned permerror, indicating a DNS configuration error on the sending domain. Microsoft categorized it as spam but did not quarantine it. There was no payload to scan. The entire attack surface was social.
Severity: High Bec Payroll Diversion Executive Impersonation MITRE: {'id': 'T1656', 'name': 'Impersonation'} MITRE: {'id': 'T1566.001', 'name': 'Phishing: Spearphishing Attachment'} MITRE: {'id': 'T1078', 'name': 'Valid Accounts'}
The message was four sentences. No greeting beyond a first name. No attachments. No links. The subject line read "Reset Direct Deposit."
"Can you confirm whether I can still change my direct deposit details before the upcoming payroll run?"
The signature identified the sender as a Global Vice President at a cybersecurity company. The From address was admin@rmbumi[.]com. The domain has no public relationship to the cybersecurity company or to the executive whose name it used.
This is Business Email Compromise in its most stripped-down form.
The Authentication Profile of a Throwaway BEC Domain
rmbumi[.]com passed SPF. The sending IP, 110[.]4[.]41[.]65, was within the authorized sending range for the domain. The relay chain passed through sc162.mschosting[.]cloud at 110[.]4[.]45[.]212, then through spfilter-1.sel01.mschosting[.]com, and from there into Microsoft's Office 365 EU infrastructure. The relay path was unremarkable: a hosted mail service routing through standard Microsoft ingestion.
DKIM was a different story. A public DKIM key was published in DNS for rmbumi[.]com. The message was not signed. DKIM returned "none" rather than a fail, meaning the sending infrastructure had the capability to sign messages but chose not to apply it to this one. This is consistent with a domain configured primarily to pass SPF and then sent through a hosting provider that did not enforce DKIM signing.
DMARC returned permerror. This indicates a DNS-level configuration error in the domain's DMARC record, either a malformed policy string, duplicate records, or a lookup failure. The practical effect is that DMARC evaluation could not complete. A receiving mail server encountering a DMARC permerror has no authoritative policy instruction to follow and typically falls back to local policy, which in this case resulted in a spam categorization (Spam Confidence Level 5) rather than a block or quarantine.
The message arrived in the recipient's mailbox.
Four Sentences as the Entire Attack
There are no URLs to analyze. No attachments to detonate. No HTML to parse. The body of the email is a plain-text question: can the direct deposit details still be changed?
This framing is deliberate. The message does not request a specific account number or a specific bank. It asks a process question. The attacker's goal at this stage is to establish a two-way conversation. Once HR or payroll responds to confirm the process, the attacker submits account details in a follow-on message, requesting that the change be processed before the payroll run closes.
The FBI IC3 2024 Internet Crime Report identified payroll diversion as a significant component of overall BEC losses, which exceeded $2.9 billion in 2024. The appeal is straightforward: a successful payroll diversion redirects a regular, expected payment into an attacker-controlled account. The victim may not notice until their next pay period. Recovery is difficult once the funds have cleared.
The Signature Tells on the Attacker
The email closed with a signature that read: "Brian R. Thomas, Global Vice President, Msp Sales, IronScales."
Two anomalies are visible here. First, "Msp" uses irregular capitalization. In a corporate environment, "MSP" would be standard for Managed Service Provider. Inconsistent capitalization in a job title is a soft indicator that the signature was manually typed or copied imprecisely rather than populated from a corporate email template. Second, the signature is missing elements common to executive email footers: no direct phone number, no address, no legal disclaimer, no LinkedIn profile link.
These are not definitive proof of anything, but they are signals. When combined with a sending domain that has no relationship to the company, DKIM absent despite a published key, and DMARC permerror, they form a pattern consistent with a quickly assembled impersonation infrastructure.
See Your Risk: Calculate how many threats your SEG is missing
Why Spam Categorization Is Not Protection
Microsoft categorized this message with SCL=5, placing it in the spam folder rather than the inbox. This is better than SCL=-1 (trust bypass), but it is not the same as quarantine or block. Messages in the spam folder are accessible to users who check their spam, and many organizations configure mail rules that surface spam-foldered items to certain users or roles.
More importantly, relying on spam scoring as the defense against payroll diversion BEC misunderstands the threat model. A user who checks their spam, sees an email appearing to be from a senior executive about a routine payroll matter, and reads a plain-text question with no suspicious elements may respond. The spam categorization is a speed bump, not a wall.
Behavioral and identity-layer analysis provides a more reliable signal. The display name "Brian R. Thomas" did not match any known internal executive contact at the target organization using that sending domain. The sender had no prior relationship with the recipient. The subject matter (direct deposit changes) targeted a financially sensitive HR function. And the sending domain had a mismatched authentication profile for a legitimate corporate address.
Themis, the IRONSCALES platform AI, evaluated this combination and surfaced the message as a social engineering risk before any employee could respond to the initial probe.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sender Display Name | Brian R. Thomas | Impersonated executive name; no relationship to sending domain |
| Sender Address | admin@rmbumi[.]com | Actual envelope address; no affiliation with target organization |
| Sending Domain | rmbumi[.]com | SPF pass; DKIM key published but message unsigned; DMARC permerror |
| Sending IP | 110[.]4[.]41[.]65 | Authorized per SPF; hosted mail infrastructure |
| Relay Hostname | sc162.mschosting[.]cloud | First-hop relay (110[.]4[.]45[.]212) |
| Second Relay | spfilter-1.sel01.mschosting[.]com | Second-hop relay before Microsoft O365 EU |
| SCL | 5 | Microsoft spam classification; delivered to spam folder, not quarantined |
| Subject | Reset Direct Deposit | Classic payroll diversion lure |
MITRE ATT&CK Mapping
| Technique | ID | Relevance |
|---|
| Impersonation | T1656 | Display name impersonation of a named company executive |
| Phishing: Spearphishing via Service | T1566.003 | Targeted delivery to specific HR contact at the organization |
| Financial Theft | T1657 | Payroll diversion designed to redirect salary deposit to attacker account |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
