The subject line said "FW: LinkedIn Invoice and Contact Information." The display name said it was from the bank's own BSA Officer. The email asked for a W-9 to be sent to mbrennan@users-linkedin[.]com.
Every element of this attack was designed to exploit a specific trust context: a known internal authority figure, a plausible operational pretext (invoice and contact verification), a familiar-looking exfiltration address. The target was an Accounts Payable Specialist at a regional bank. For that role, a W-9 request from the BSA Officer is not unusual. It is exactly the kind of task that lands in an AP inbox on a normal workday.
What made this detectable was what the attacker had to hide: a newly-registered .us sender domain, a Reply-To address on an infrastructure-mimicking lookalike, and a Votiro CDR relay that, by doing its job, inadvertently surfaced the forgery.
The sending address was info@lectrosalt[.]us. WHOIS shows lectrosalt[.]us was registered on March 9, 2026 at GoDaddy. The campaign targeted the AP Specialist in June 2026, three months after registration. This gap is deliberate. Domain-age reputation systems use lookback windows of 30, 60, or 90 days; a domain active for three months without incident is no longer flagged as newly-registered by most blocklist providers. Attackers stage their infrastructure ahead of campaigns to clear this window.
The display name on the sending address was an exact match to the bank's actual BSA Officer. The attacker either scraped this name from a public source (LinkedIn, the bank's website, a regulatory filing) or obtained it through prior reconnaissance. Business email compromise at this sophistication level always involves a target research phase. The display name was not approximated. It was exact.
A Reply-To header redirected any responses away from the sender to sslappsworkmail-outboundprotection-onmsn[.]com, a domain constructed to look like Microsoft mail protection infrastructure to a cursory reader. Any reply from the AP Specialist would have gone directly to attacker-controlled infrastructure, not to the BSA Officer or to any address at the bank.
Votiro CDR is a legitimate security product that reconstructs email attachments and content to strip embedded threats. In this delivery chain, Votiro was processing mail before it reached the recipient's inbox. When CDR tools re-transmit a rebuilt message, they send from their own relay infrastructure. If the original sender's SPF record does not include the CDR relay's sending IP, the re-transmitted message fails SPF. If DKIM was signed by the original sender and the CDR rebuild modifies the message body, DKIM fails as well.
In this case, the CDR relay broke both. The result was a DMARC fail on a message that had already been processed by a security tool. This is a known class of CDR integration problem, not a flaw in CDR itself, but a gap in how mail authentication interacts with content-rewriting relays.
For the attacker, this created an unintended benefit: the email arrived at the recipient without a passing DMARC record, which reduced the utility of DMARC-pass filtering as a downstream rule. Themis still scored it at 90% malice confidence based on behavioral and link signals rather than authentication state.
See Your Risk: Calculate how many threats your SEG is missing
The W-9 collection address was mbrennan@users-linkedin[.]com. WHOIS shows users-linkedin[.]com was registered July 29, 2024. At time of this report, the domain is in clientHold status, meaning the registry has suspended it. The clientHold status is consistent with an abuse report being actioned by the registrar or registry after the campaign ran. A domain being placed in clientHold does not retroactively stop exfiltrated data from having been received while it was active.
The domain name was chosen to evoke LinkedIn's user infrastructure subdomain pattern. LinkedIn uses users.linkedin.com for user-generated content; users-linkedin.com is close enough that an AP specialist processing dozens of routine requests per day might not register the substitution. The attached PDF, LNKD-INVOICE#12026824900.pdf, reinforced the LinkedIn context. The attachment scanned clean, a non-executable PDF with no embedded payload. It was a prop, not a weapon: its purpose was to make the request feel document-supported rather than freeform.
A W-9 from a bank employee yields IRS taxpayer data, legal entity name, address, and signature, which is useful for fraudulent vendor creation, tax identity theft, or as a component in a broader financial fraud package. At a regional bank, the BSA Officer role (Bank Secrecy Act compliance) has authority over anti-money-laundering controls and vendor due diligence processes. An AP Specialist receiving a BSA Officer request to provide documentation is conditioned to comply without escalation.
The Verizon DBIR 2026 notes that BEC represents one of the top financial crime categories in financial services, with median losses per incident among the highest of any sector. The FBI IC3 2024 report documents $2.9 billion in BEC losses annually. W-9 exfiltration campaigns are a low-sophistication, high-yield variant that does not require a malware payload or credential page.
DMARC configuration hardening is necessary but not sufficient against this attack. The sender domain had no DMARC record; the CDR relay compounded the auth failure. But even with a failing DMARC record, the email was not automatically rejected, it reached the inbox as a suspected spam item. The detection that mattered came from Themis correlating the display-name-to-address mismatch, the Reply-To redirect to an infrastructure-mimicking domain, and the link destination pointing to a lookalike exfiltration address.
The MITRE ATT&CK T1566.002 classification covers the spearphishing-via-link vector. The attachment here was a decoy, not the payload. The actual exfiltration mechanism was social: get the human to voluntarily send the data. That is what makes this category of BEC resistant to purely technical controls.
Business email compromise protection at the platform layer means modeling what legitimate communication from the BSA Officer to AP actually looks like, and flagging the first instance of a new external sender claiming that identity. That is the only reliable detection path for display-name impersonation BEC.
---
| Type | Indicator | Context |
|---|---|---|
| Domain | lectrosalt[.]us | Attacker sending domain, registered 2026-03-09 |
| Sender | info@lectrosalt[.]us | Attacker address with exact BSA Officer display name |
| Domain | users-linkedin[.]com | Attacker W-9 exfiltration domain (LinkedIn lookalike) |
| Reply-To | sslappsworkmail-outboundprotection-onmsn[.]com | Attacker reply-intercept domain mimicking MS infrastructure |
| File | LNKD-INVOICE#12026824900.pdf | Decoy attachment, clean, no payload |
| Attack | What happened |
|---|---|
| The CEO's Name Was Real. The Mailjet Account Behind It Wasn't. | An attacker impersonated the CEO of an email security company using a legitimate Mailjet ESP account with full SPF/DKIM pass. |
| SPF Passed. DMARC Passed. DKIM Didn't. What That Combination Actually Means. | A BEC email requesting ACH routing and a signed W-9 passed SPF and DMARC but failed DKIM body-hash verification. |
| The One-Letter Typosquat That Passed Every Authentication Check | A single missing letter in a vendor domain turned a legitimate invoice thread into a six-figure payment diversion. |
| Mimecast SafeLinks Phishing: Wrapped URLs Hide Lookalike Domains | Attackers routed a credential-harvesting link through Mimecast SafeLinks so the recipient saw a Mimecast-rewritten URL. |
| Perfect Authentication, Zero Payload: The Yahoo Free-Mail BEC That Microsoft Flagged but Didn't Block | A Yahoo free-mail account with perfect SPF, DKIM, and DMARC authentication sent a zero-payload account change request to a state government health agency. |