A Construction Bid Invitation Hid a Compromised Website Behind a Legitimate-Looking PDF Label

TL;DR A phishing email formatted as a construction bid invitation was sent to multiple recipients via blind carbon copy, with one named recipient used as the envelope address. The link in the email displayed text formatted as a bid-preview PDF filename. The actual URL resolved to a path on a compromised Brazilian website that had no relationship to construction or the sender. SPF, DKIM, and ARC all passed. The only technical detection point was the mismatch between what the anchor text said and where the URL went. IRONSCALES Adaptive AI caught the suspicious link and quarantined the message.
Severity: Medium Phishing Credential Harvesting Display Name Impersonation MITRE: T1566.002 MITRE: T1598.003

The email read like a standard construction industry bid invitation. A company name. A project reference number. An offer to preview bid documents. An attachment description that matched the format of a real PDF filename. A polite sign-off from a named contact.

The link labeled as a bid-preview document did not go to a document. It went to a path on a Brazilian website that had nothing to do with construction, the sender, or the recipient's industry.

The entire deception was contained in the gap between what the link said and where it went.

A Bid Invitation Sent to No One in Particular

The email was addressed from a named sender at a construction-related company, sent to the same address in both the From and To fields. The steel fabrication company and the other recipients were in the BCC field. None of them appeared in the To line.

This is the mass-BCC delivery pattern. The attacker sends a single message with themselves or an alias in the To field and distributes the real recipient list in BCC. Each individual recipient receives a message that appears addressed only to the sender. The campaign scope is invisible to any individual target, and there is no shared recipient list visible to any one person in the batch.

The use of BCC also prevents the most common informal detection mechanism: a recipient who notices unfamiliar co-recipients on a vendor message and questions whether the email belongs to them. When the BCC pattern hides the distribution, that check does not occur.

The sender's domain, a channel for email spoofing, was registered in 2022 and had its last-update record refreshed four days before this incident. Recent registrar updates on a domain used for phishing can indicate that the domain infrastructure was re-pointed or modified in preparation for a campaign, though the domain in this case was legitimate enough to clear authentication.

The Link That Was Not a PDF

The message contained a hyperlink. The visible text of the link was formatted as a bid-preview PDF filename, including a project reference number and a conventional document-naming pattern consistent with the construction sector. A recipient reading the email would see what appeared to be a direct link to a bid-preview document.

The actual URL behind that anchor text pointed to a path on a Brazilian website. The domain belonged to a legitimate small media organization operating a radio broadcast site. The path in the URL was a subdirectory with no relationship to the domain's actual content. The website was a victim, not an attacker asset. Its infrastructure had been compromised and a subdirectory was being used as a redirect or phishing relay endpoint.

See Your Risk: Calculate how many threats your SEG is missing

This is the display-to-destination mismatch technique. HTML email permits any text as the anchor for any URL. The visible description of a link carries no technical relationship to its destination. Writing "Preview Bid Document - Project 7804-3456 (PDF)" as the anchor text of a link that resolves to a compromised third-party website is trivially easy and produces a high-fidelity social engineering element: the recipient sees a plausible document name, consistent with the stated context, and has no visual indication from the rendered email that the URL behind it is unrelated.

The destination hosted at that subdirectory path was not examined in sandbox analysis at the time of detection, because the message was quarantined before delivery. The path structure on the compromised site was consistent with phishing relay or redirect infrastructure: a short, non-semantic directory name under a domain with no prior bad reputation.

Authentication Passed. The Link Did Not.

SPF passed. DKIM passed. ARC passed. The sending domain had no flagged reputation. The Microsoft SCL (spam confidence level) was set to 1, the lowest tier. None of the email authentication infrastructure produced a signal that would have justified holding the message at the gateway.

The only detection vector was the link itself. IRONSCALES Adaptive AI flagged the message as "Suspicious Link" at 56% confidence. The detection was based on the mismatch between the link's display text (a document filename) and its actual destination (a path on an unrelated foreign website). This specific signal does not require the destination URL to be known-bad. It requires only that the link destination be inconsistent with the anchor text and the context of the message.

Credential harvesting via display-text deception is effective precisely because it passes inspection at every authentication layer and clears gateway reputation checks, while the actual attack surface is visible only when the destination URL is resolved and compared against the text that describes it.

The Detection Principle Behind Display Text Analysis

The recipient at the steel fabrication company was quarantined before engaging with the link. The message was later manually approved (after the quarantine flag), which increased its exposure window, but the Adaptive AI's initial classification identified the mismatch before the email reached the inbox.

The key principle this case demonstrates is that link-text consistency is an independent detection signal from link reputation. A phishing link to a domain with a clean reputation can still be a phishing vector if the anchor text claims to point to something the URL cannot deliver.

Inspect link destinations against their display text. Any link whose visible label includes a filename, document description, or resource reference should be checked against the actual URL it resolves to. A mismatch is a deception.

Treat mass-BCC distribution as a campaign signal. A bid invitation addressed to self, with the actual recipient list hidden in BCC, is structurally inconsistent with how legitimate bid invitations are sent to known contacts. This pattern warrants elevated scrutiny regardless of the link content.

Apply domain-age context to sender evaluation. A construction company sending bid invitations from a 4-year-old domain with a recent registrar update is not automatically suspicious, but combined with link mismatch and BCC distribution, it contributes to a risk profile that exceeds any single indicator alone.

The MITRE ATT&CK framework classifies spearphishing link delivery under T1566.002, noting that visible link text is routinely used to obscure malicious URLs. CISA phishing guidance recommends hovering over links before clicking to verify the actual destination. The Verizon DBIR 2026 identifies email as the primary initial access vector for credential theft. The Microsoft Digital Defense Report 2024 specifically notes that attackers increasingly abuse legitimate compromised websites as relay infrastructure to circumvent domain-age and reputation-based filters.

The bid preview label was a sentence. The URL behind it was a path on someone else's website. That gap is the entire attack.

---

TypeIndicatorContext
URLhxxps://[compromised-brazilian-website]/seaports/Actual destination of bid-preview link; compromised third-party site, not attacker-registered
Anchor text"a bid-preview PDF label"Display text describing a construction bid document; resolves to unrelated URL (mismatch is the indicator)
Sender domain[construction-sender-domain]Construction-context sender; 4-year-old domain with registrar update 4 days before incident
Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.

Related attacks

Attack What happened
Sign Here, Get Phished: Inside an Adobe Sign Lure With a Multi-Hop Redirect to Credential TheftAn Adobe Sign e-signature lure routed recipients through a multi-hop redirect chain ending at fameklinik[.]com.
DocuSign Plus Invoice: A 12-Day-Old Domain and an esvalabs Redirect Chain That Scanners MissedA phishing campaign combined DocuSign branding with an invoice thread pretext, sent from a 12-day-old privacy-protected domain via Amazon SES.
When the Phishing Kit Ships Early: Exposed Template Variables Reveal Attack InfrastructureA premature phishing kit deployment exposed raw template variables in the subject line and a placeholder URL.
Funding Agreement, Forged Approval: How a Three-Layer Redirect Chain Targeted Finance LeadershipA phishing campaign impersonating a document-signing platform targeted a VP of Finance with a forged funding agreement.
Hungarian Bank, Nepali Domain, Broken Encoding: How a K&H Bank Phishing Kit Exposed ItselfA K&H Bank impersonation campaign sent from a Nepali domain used DKIM signing and hotlinked the real bank's favicon.

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.