TL;DR A commercial compliance vendor used fear language, FinCEN regulatory framing, and legitimate ESP infrastructure to pressure business owners into filing Beneficial Ownership Information reports through their private service. The email passed full authentication via Elastic Email. The sending domain was created in August 2024 with privacy-protected WHOIS and hosted on AWS EC2. The call-to-action redirected from one brand to a completely different domain, exposing the cross-brand redirect as a deceptive layer. TLS hostname mismatch on the redirect destination added another technical red flag. Themis flagged the behavioral and structural anomalies.
Severity: High Social Engineering Government Impersonation Esp Abuse MITRE: {'id': 'T1566.002', 'name': 'Phishing: Spearphishing Link'} MITRE: {'id': 'T1656', 'name': 'Impersonation'} MITRE: {'id': 'T1598', 'name': 'Phishing for Information'}
The subject line did not ask. It threatened. "Imprisonment for up to two years" for failure to file. The message invoked FinCEN, the Financial Crimes Enforcement Network, and framed inaction as a federal criminal offense. The call to action was a button labeled "File your 2025 BOI."
The email passed SPF. It passed DKIM. It passed DMARC. compauth=pass reason=100 in the Microsoft authentication header. Every technical check the receiving mail server performed returned a green result.
Regulatory Fear as a Delivery Mechanism
The Beneficial Ownership Information filing requirement under the Corporate Transparency Act created a new attack surface the moment it became law. Millions of small US businesses were required to file beneficial ownership data with FinCEN, many of them unfamiliar with the process and anxious about compliance. That anxiety is the precondition for this class of attack to work at scale.
The email's fear framing was specific enough to be credible: it cited criminal penalties (imprisonment) and civil penalties (fines per day of non-compliance). It referenced a real regulatory framework. The urgency was not manufactured from a fictional scenario but from a genuine legal obligation that the target had reason to take seriously.
This is the defining characteristic of social engineering attacks that use regulatory or legal fear as the lure: they do not need to invent a threat. They amplify a real one, substituting themselves as the delivery channel for that threat while redirecting the response to attacker-controlled infrastructure.
The target was a small Florida real-estate company. BOI filing obligations apply directly to this business category.
Authentication Was Correct. The Sender Was Not.
The message was delivered through Elastic Email, a commercial email service provider. Elastic Email was properly configured as an authorized sender for corporatefilingsusa[.]com, which is why SPF, DKIM, and DMARC all passed. The authentication was technically accurate: that domain, that ESP, that message. What authentication cannot verify is whether the domain's operator had any authority to act on behalf of FinCEN or the federal government.
corporatefilingsusa[.]com was registered on August 14, 2024, with privacy-protected WHOIS. It was hosted on an AWS EC2 instance at 18[.]188[.]183[.]11, where a PTR record mismatch existed between the IP's reverse DNS hostname and the domain's forward DNS records. PTR mismatches on ESP-delivered messages are not unusual and do not independently signal malicious intent, but in context they add to a pattern of hasty infrastructure assembly rather than an established commercial operation.
The domain name itself mimics official government naming conventions. "USA" in the domain name implies federal scope. "Corporate Filings" mimics the language of official business registration systems. There is no disclaimer in the email body establishing that this is a private commercial service and not a government agency. The impression created was governmental. The reality was a commercial vendor operating with no disclosed relationship to FinCEN.
The Cross-Brand Redirect Exposure
The CTA button was labeled to file a 2025 BOI. Clicking it activated a redirect from forms[.]corporatefilingsusa[.]com to myfloridacorpfilings[.]com. The sender and the destination were not the same company. That redirect exposed the deception.
In a legitimate multi-brand corporate family, cross-domain redirects are normal. A subsidiary might redirect to a parent portal. But in this case, the two brands share no stated relationship in the email body, and the redirect was silent: the recipient saw a button on the corporatefilingsusa brand and landed on myfloridacorpfilings. The name change implies the filing was being captured by a different commercial entity than the one that sent the message.
The destination domain also presented a TLS hostname mismatch. The TLS certificate served at myfloridacorpfilings[.]com did not match the domain name. This is a configuration failure inconsistent with a professionally operated commercial compliance service. It is consistent with a quickly deployed redirect target assembled without full SSL provisioning.
See Your Risk: Calculate how many threats your SEG is missing
Detection Beyond Authentication
Themis, the Adaptive AI engine, flagged this message based on behavioral and structural signals that the authentication layer was not designed to surface. The sending domain was created less than a year before delivery. The PTR mismatch indicated non-standard infrastructure configuration. The cross-brand redirect introduced a destination the recipient had no prior relationship with. The regulatory fear framing matched known email spoofing patterns. Multiple tracking wrappers through tracking[.]corporatefilingsusa[.]com added another layer of redirect complexity typical of deceptive commercial mailers.
None of these signals were individually definitive. Combined, they formed a behavioral fingerprint that departed from legitimate compliance communication norms: a new domain, an ESP relay, fear language, a cross-brand silent redirect, and a TLS mismatch at the destination. Legitimate government-adjacent compliance services do not behave this way.
Defenders should treat any compliance-urgency email citing criminal penalties as a candidate for out-of-band verification, regardless of authentication results. The canonical check is simple: real FinCEN BOI communications originate from .gov domains, not commercial ESPs.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sending Domain | corporatefilingsusa[.]com | Registered Aug 14, 2024; Elastic Email sender |
| Sending IP | 18[.]188[.]183[.]11 | AWS EC2, PTR mismatch |
| Redirect Domain | myfloridacorpfilings[.]com | Cross-brand redirect destination; TLS mismatch |
| Tracking Domain | tracking[.]corporatefilingsusa[.]com | Multiple tracking wrappers |
| CTA Form Host | forms[.]corporatefilingsusa[.]com | Initiates redirect chain |
| Relay | pn159[.]mxout[.]mta2[.]net | Elastic Email outbound relay |
| WHOIS | Privacy-protected | Registrar obscured via WHOIS privacy |
MITRE ATT&CK Mapping
| Technique | ID | Relevance |
|---|
| Phishing: Spearphishing Link | T1566.002 | Fear-lure CTA redirects through multiple tracking domains |
| Impersonation | T1656 | Private commercial vendor impersonating federal regulatory authority |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
