TL;DR An attacker sent a DocuSign-styled authorization reminder carrying Boot Barn brand imagery, routed through Amazon SES from a 2024-registered throwaway subdomain on evegift[.]com. SPF and DKIM passed for the sending infrastructure. DMARC returned a permerror because the subdomain broke alignment evaluation. Buried among real Boot Barn marketing-tracker links was a single Google redirect leading to an attacker-controlled landing domain. The legitimate trackers were camouflage; the malicious redirect was the payload.
Severity: High Credential Harvesting Esp Abuse Brand Impersonation Phishing MITRE: T1566.002 MITRE: T1583.001
A warehouse and distribution staffer at a large manufacturing organization received what looked like a standard DocuSign reminder. Subject line: a transaction number, a date, and a request to provide signed authorization. The sender display name: "noreply." The body combined a DocuSign-styled completion banner with Boot Barn branding and product navigation links.
The message was sent from a domain registered in 2024 with no connection to either company.
This is what credential-harvest infrastructure looks like when the attacker invests in camouflage: authenticated sending through a legitimate cloud service, real brand tracker links borrowed from Boot Barn's marketing platform to build reputation cover, and one malicious redirect hidden among them.
The sending infrastructure and why authentication held
The message arrived from Amazon SES, originating IP 23.251.242.9 on the us-west-1 endpoint. The From address was jaksukrf[@]otzosnxwm[.]evegift[.]com, a throwaway subdomain of evegift[.]com, registered in 2024 with WHOIS privacy protection. The display name was the generic "noreply."
SPF passed. The SES IP was a permitted sender for the sending infrastructure. DKIM also passed, with two valid signatures: one from evegift[.]com and one from amazonses.com, confirming the message body had not been altered in transit.
DMARC returned a permerror. The subdomain otzosnxwm[.]evegift[.]com broke the DMARC alignment evaluation because subdomain handling could not resolve a consistent policy. The result is that DMARC produced no actionable verdict. No enforcement, no quarantine instruction, no block. The composite authentication score came back as pass with reason code 111, meaning the message cleared Microsoft's inbound filters on the strength of the SPF and DKIM results alone.
This is the ESP abuse pattern: register an account with a legitimate sending platform, configure the records, send from real infrastructure. The authentication checks evaluate the infrastructure honestly. They return a pass because the infrastructure genuinely is legitimate. Whether the content is malicious is outside their scope.
Boot Barn trackers as reputation camouflage
The body of the message carried Boot Barn's full marketing template structure. Navigation links for MEN, WOMEN, BOOTS, WORKWEAR, KIDS, FASHION, and a logo link all resolved to e.p.bootbarn.com with JWT tracking parameters consistent with Boot Barn's email platform. A footer carried a link to custserv[@]bootbarn.com and a privacy policy URL, both resolving to legitimate Boot Barn pages. These were real links, pulled from or modeled on an actual Boot Barn marketing message, and every one of them scanned clean.
Interspersed with those clean links was a single call-to-action button. Its href pointed to a Google redirect URL, which forwarded to hxxps://extendedrealityxrtech[.]com/erndprvwind?id=993a646acd7d4340b26ab9ee8eab1c8a7773540bb105722192cca744ab4ef4.
The landing domain extendedrealityxrtech[.]com had no relationship to Boot Barn, DocuSign, or any other entity in the message. The path and parameter structure is consistent with a credential harvesting funnel: a unique ID parameter tracking the specific recipient, a non-descriptive endpoint path designed to resist pattern matching, and a destination that rendered a DocuSign-styled capture form.
The MITRE ATT&CK framework maps the infrastructure setup to Acquire Infrastructure: Domains and the lure delivery to Phishing: Spearphishing Link.
Why the tracker camouflage is the core technique
A reputation-based filter scoring this message would aggregate signals across all its links. Out of roughly a dozen URLs, ten or more resolve to a known US retailer's marketing infrastructure. The single malicious link is numerically a small fraction of the total. Filters that weight average link reputation rather than worst-case link reputation will see a mostly-clean message.
The Google redirect compounds this. The primary CTA does not point directly to the attacker domain; it points to a google.com URL that redirects there. At the moment of scanning, the immediate destination is google.com, which carries substantial reputation. The actual landing domain is a step further in the redirect chain, which some scanners do not follow to termination.
This two-layer structure, legitimate brand trackers plus a Google-intermediated redirect, is designed to present the maximum number of clean signals to any filter evaluating the message at the moment of delivery.
The structural defense against this technique is evaluating the worst-case link in a message, not the average, and following redirect chains to their final destination. Fake login pages constructed to mirror DocuSign or Boot Barn account portals are the endpoint of this funnel; detecting them requires rendering the destination, not just resolving it.
Indicators of compromise
| Type | Indicator | Context |
|---|
| Domain | otzosnxwm[.]evegift[.]com | Sending subdomain; registered 2024; WHOIS privacy; no affiliation with Boot Barn or DocuSign |
| Email | jaksukrf[@]otzosnxwm[.]evegift[.]com | Envelope sender and Reply-To; display name "noreply" |
| Infrastructure | 23.251.242.9 (e242-9.smtp-out.us-west-1.amazonses.com) | Amazon SES outbound relay used for delivery |
| URL | hxxps://extendedrealityxrtech[.]com/erndprvwind?id=993a646acd7d4340b26ab9ee8eab1c8a7773540bb105722192cca744ab4ef4 | Attacker landing domain; reached via Google redirect in primary CTA |
| URL | hxxps://www.google[.]com/url?...q=hxxps://extendedrealityxrtech[.]com/... | Google redirect intermediary; used to obscure final destination at scan time |
| Auth | SPF pass, DKIM pass (d=evegift[.]com + d=amazonses.com), DMARC permerror | Passes on sending infrastructure; DMARC unevaluable due to subdomain permerror |
| Behavior | Real Boot Barn marketing tracker links co-mingled with malicious CTA | Reputation-dilution camouflage technique |
| Behavior | High-entropy random token in subject line | Per-recipient hash-uniqueness to defeat signature-based filters |
Why this reached the inbox and what changes the outcome
The message landed and was automatically resolved as phishing. The combination of a 2024-registered domain with no brand history, a DMARC permerror status, a first-time sender relationship, and a link resolving through a redirect chain to an unrecognized landing domain produced enough signal for automated detection to act.
The lesson for defenders is about redirect chain evaluation. If the detection logic had halted at the Google URL, which resolved clean, the malicious landing domain would have remained invisible until a user clicked through. Following every redirect to its final destination, and treating the worst link in a message as the message's risk level, is the control that closes this gap.
A legitimate DocuSign notification names the document, the sender, and the receiving organization. It does not include retail navigation links for a clothing brand. Either anomaly, checked against what a real notification from that service looks like, surfaces the impersonation before the redirect chain needs to be examined at all.
See Your Risk: Calculate how many threats your SEG is missing
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
