Table of Contents
The email read like a standard construction industry bid invitation. A company name. A project reference number. An offer to preview bid documents. An attachment description that matched the format of a real PDF filename. A polite sign-off from a named contact.
The link labeled as a bid-preview document did not go to a document. It went to a path on a Brazilian website that had nothing to do with construction, the sender, or the recipient's industry.
The entire deception was contained in the gap between what the link said and where it went.
A Bid Invitation Sent to No One in Particular
The email was addressed from a named sender at a construction-related company, sent to the same address in both the From and To fields. The steel fabrication company and the other recipients were in the BCC field. None of them appeared in the To line.
This is the mass-BCC delivery pattern. The attacker sends a single message with themselves or an alias in the To field and distributes the real recipient list in BCC. Each individual recipient receives a message that appears addressed only to the sender. The campaign scope is invisible to any individual target, and there is no shared recipient list visible to any one person in the batch.
The use of BCC also prevents the most common informal detection mechanism: a recipient who notices unfamiliar co-recipients on a vendor message and questions whether the email belongs to them. When the BCC pattern hides the distribution, that check does not occur.
The sender's domain, a channel for email spoofing, was registered in 2022 and had its last-update record refreshed four days before this incident. Recent registrar updates on a domain used for phishing can indicate that the domain infrastructure was re-pointed or modified in preparation for a campaign, though the domain in this case was legitimate enough to clear authentication.
The Link That Was Not a PDF
The message contained a hyperlink. The visible text of the link was formatted as a bid-preview PDF filename, including a project reference number and a conventional document-naming pattern consistent with the construction sector. A recipient reading the email would see what appeared to be a direct link to a bid-preview document.
The actual URL behind that anchor text pointed to a path on a Brazilian website. The domain belonged to a legitimate small media organization operating a radio broadcast site. The path in the URL was a subdirectory with no relationship to the domain's actual content. The website was a victim, not an attacker asset. Its infrastructure had been compromised and a subdirectory was being used as a redirect or phishing relay endpoint.
See Your Risk: Calculate how many threats your SEG is missing
This is the display-to-destination mismatch technique. HTML email permits any text as the anchor for any URL. The visible description of a link carries no technical relationship to its destination. Writing "Preview Bid Document - Project 7804-3456 (PDF)" as the anchor text of a link that resolves to a compromised third-party website is trivially easy and produces a high-fidelity social engineering element: the recipient sees a plausible document name, consistent with the stated context, and has no visual indication from the rendered email that the URL behind it is unrelated.
The destination hosted at that subdirectory path was not examined in sandbox analysis at the time of detection, because the message was quarantined before delivery. The path structure on the compromised site was consistent with phishing relay or redirect infrastructure: a short, non-semantic directory name under a domain with no prior bad reputation.
Authentication Passed. The Link Did Not.
SPF passed. DKIM passed. ARC passed. The sending domain had no flagged reputation. The Microsoft SCL (spam confidence level) was set to 1, the lowest tier. None of the email authentication infrastructure produced a signal that would have justified holding the message at the gateway.
The only detection vector was the link itself. IRONSCALES Adaptive AI flagged the message as "Suspicious Link" at 56% confidence. The detection was based on the mismatch between the link's display text (a document filename) and its actual destination (a path on an unrelated foreign website). This specific signal does not require the destination URL to be known-bad. It requires only that the link destination be inconsistent with the anchor text and the context of the message.
Credential harvesting via display-text deception is effective precisely because it passes inspection at every authentication layer and clears gateway reputation checks, while the actual attack surface is visible only when the destination URL is resolved and compared against the text that describes it.
The Detection Principle Behind Display Text Analysis
The recipient at the steel fabrication company was quarantined before engaging with the link. The message was later manually approved (after the quarantine flag), which increased its exposure window, but the Adaptive AI's initial classification identified the mismatch before the email reached the inbox.
The key principle this case demonstrates is that link-text consistency is an independent detection signal from link reputation. A phishing link to a domain with a clean reputation can still be a phishing vector if the anchor text claims to point to something the URL cannot deliver.
Inspect link destinations against their display text. Any link whose visible label includes a filename, document description, or resource reference should be checked against the actual URL it resolves to. A mismatch is a deception.
Treat mass-BCC distribution as a campaign signal. A bid invitation addressed to self, with the actual recipient list hidden in BCC, is structurally inconsistent with how legitimate bid invitations are sent to known contacts. This pattern warrants elevated scrutiny regardless of the link content.
Apply domain-age context to sender evaluation. A construction company sending bid invitations from a 4-year-old domain with a recent registrar update is not automatically suspicious, but combined with link mismatch and BCC distribution, it contributes to a risk profile that exceeds any single indicator alone.
The MITRE ATT&CK framework classifies spearphishing link delivery under T1566.002, noting that visible link text is routinely used to obscure malicious URLs. CISA phishing guidance recommends hovering over links before clicking to verify the actual destination. The Verizon DBIR 2026 identifies email as the primary initial access vector for credential theft. The Microsoft Digital Defense Report 2024 specifically notes that attackers increasingly abuse legitimate compromised websites as relay infrastructure to circumvent domain-age and reputation-based filters.
The bid preview label was a sentence. The URL behind it was a path on someone else's website. That gap is the entire attack.
---
| Type | Indicator | Context |
|---|---|---|
| URL | hxxps://[compromised-brazilian-website]/seaports/ | Actual destination of bid-preview link; compromised third-party site, not attacker-registered |
| Anchor text | "a bid-preview PDF label" | Display text describing a construction bid document; resolves to unrelated URL (mismatch is the indicator) |
| Sender domain | [construction-sender-domain] | Construction-context sender; 4-year-old domain with registrar update 4 days before incident |
Related attacks
| Attack | What happened |
|---|---|
| Sign Here, Get Phished: Inside an Adobe Sign Lure With a Multi-Hop Redirect to Credential Theft | An Adobe Sign e-signature lure routed recipients through a multi-hop redirect chain ending at fameklinik[.]com. |
| DocuSign Plus Invoice: A 12-Day-Old Domain and an esvalabs Redirect Chain That Scanners Missed | A phishing campaign combined DocuSign branding with an invoice thread pretext, sent from a 12-day-old privacy-protected domain via Amazon SES. |
| When the Phishing Kit Ships Early: Exposed Template Variables Reveal Attack Infrastructure | A premature phishing kit deployment exposed raw template variables in the subject line and a placeholder URL. |
| Funding Agreement, Forged Approval: How a Three-Layer Redirect Chain Targeted Finance Leadership | A phishing campaign impersonating a document-signing platform targeted a VP of Finance with a forged funding agreement. |
| Hungarian Bank, Nepali Domain, Broken Encoding: How a K&H Bank Phishing Kit Exposed Itself | A K&H Bank impersonation campaign sent from a Nepali domain used DKIM signing and hotlinked the real bank's favicon. |
Explore More Articles
Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.