A warehouse and distribution staffer at a large manufacturing organization received what looked like a standard DocuSign reminder. Subject line: a transaction number, a date, and a request to provide signed authorization. The sender display name: "noreply." The body combined a DocuSign-styled completion banner with Boot Barn branding and product navigation links.
The message was sent from a domain registered in 2024 with no connection to either company.
This is what credential-harvest infrastructure looks like when the attacker invests in camouflage: authenticated sending through a legitimate cloud service, real brand tracker links borrowed from Boot Barn's marketing platform to build reputation cover, and one malicious redirect hidden among them.
The message arrived from Amazon SES, originating IP 23.251.242.9 on the us-west-1 endpoint. The From address was jaksukrf[@]otzosnxwm[.]evegift[.]com, a throwaway subdomain of evegift[.]com, registered in 2024 with WHOIS privacy protection. The display name was the generic "noreply."
SPF passed. The SES IP was a permitted sender for the sending infrastructure. DKIM also passed, with two valid signatures: one from evegift[.]com and one from amazonses.com, confirming the message body had not been altered in transit.
DMARC returned a permerror. The subdomain otzosnxwm[.]evegift[.]com broke the DMARC alignment evaluation because subdomain handling could not resolve a consistent policy. The result is that DMARC produced no actionable verdict. No enforcement, no quarantine instruction, no block. The composite authentication score came back as pass with reason code 111, meaning the message cleared Microsoft's inbound filters on the strength of the SPF and DKIM results alone.
This is the ESP abuse pattern: register an account with a legitimate sending platform, configure the records, send from real infrastructure. The authentication checks evaluate the infrastructure honestly. They return a pass because the infrastructure genuinely is legitimate. Whether the content is malicious is outside their scope.
The body of the message carried Boot Barn's full marketing template structure. Navigation links for MEN, WOMEN, BOOTS, WORKWEAR, KIDS, FASHION, and a logo link all resolved to e.p.bootbarn.com with JWT tracking parameters consistent with Boot Barn's email platform. A footer carried a link to custserv[@]bootbarn.com and a privacy policy URL, both resolving to legitimate Boot Barn pages. These were real links, pulled from or modeled on an actual Boot Barn marketing message, and every one of them scanned clean.
Interspersed with those clean links was a single call-to-action button. Its href pointed to a Google redirect URL, which forwarded to hxxps://extendedrealityxrtech[.]com/erndprvwind?id=993a646acd7d4340b26ab9ee8eab1c8a7773540bb105722192cca744ab4ef4.
The landing domain extendedrealityxrtech[.]com had no relationship to Boot Barn, DocuSign, or any other entity in the message. The path and parameter structure is consistent with a credential harvesting funnel: a unique ID parameter tracking the specific recipient, a non-descriptive endpoint path designed to resist pattern matching, and a destination that rendered a DocuSign-styled capture form.
The MITRE ATT&CK framework maps the infrastructure setup to Acquire Infrastructure: Domains and the lure delivery to Phishing: Spearphishing Link.
A reputation-based filter scoring this message would aggregate signals across all its links. Out of roughly a dozen URLs, ten or more resolve to a known US retailer's marketing infrastructure. The single malicious link is numerically a small fraction of the total. Filters that weight average link reputation rather than worst-case link reputation will see a mostly-clean message.
The Google redirect compounds this. The primary CTA does not point directly to the attacker domain; it points to a google.com URL that redirects there. At the moment of scanning, the immediate destination is google.com, which carries substantial reputation. The actual landing domain is a step further in the redirect chain, which some scanners do not follow to termination.
This two-layer structure, legitimate brand trackers plus a Google-intermediated redirect, is designed to present the maximum number of clean signals to any filter evaluating the message at the moment of delivery.
The structural defense against this technique is evaluating the worst-case link in a message, not the average, and following redirect chains to their final destination. Fake login pages constructed to mirror DocuSign or Boot Barn account portals are the endpoint of this funnel; detecting them requires rendering the destination, not just resolving it.
| Type | Indicator | Context |
|---|---|---|
| Domain | otzosnxwm[.]evegift[.]com | Sending subdomain; registered 2024; WHOIS privacy; no affiliation with Boot Barn or DocuSign |
| jaksukrf[@]otzosnxwm[.]evegift[.]com | Envelope sender and Reply-To; display name "noreply" | |
| Infrastructure | 23.251.242.9 (e242-9.smtp-out.us-west-1.amazonses.com) | Amazon SES outbound relay used for delivery |
| URL | hxxps://extendedrealityxrtech[.]com/erndprvwind?id=993a646acd7d4340b26ab9ee8eab1c8a7773540bb105722192cca744ab4ef4 | Attacker landing domain; reached via Google redirect in primary CTA |
| URL | hxxps://www.google[.]com/url?...q=hxxps://extendedrealityxrtech[.]com/... | Google redirect intermediary; used to obscure final destination at scan time |
| Auth | SPF pass, DKIM pass (d=evegift[.]com + d=amazonses.com), DMARC permerror | Passes on sending infrastructure; DMARC unevaluable due to subdomain permerror |
| Behavior | Real Boot Barn marketing tracker links co-mingled with malicious CTA | Reputation-dilution camouflage technique |
| Behavior | High-entropy random token in subject line | Per-recipient hash-uniqueness to defeat signature-based filters |
The message landed and was automatically resolved as phishing. The combination of a 2024-registered domain with no brand history, a DMARC permerror status, a first-time sender relationship, and a link resolving through a redirect chain to an unrecognized landing domain produced enough signal for automated detection to act.
The lesson for defenders is about redirect chain evaluation. If the detection logic had halted at the Google URL, which resolved clean, the malicious landing domain would have remained invisible until a user clicked through. Following every redirect to its final destination, and treating the worst link in a message as the message's risk level, is the control that closes this gap.
A legitimate DocuSign notification names the document, the sender, and the receiving organization. It does not include retail navigation links for a clothing brand. Either anomaly, checked against what a real notification from that service looks like, surfaces the impersonation before the redirect chain needs to be examined at all.
See Your Risk: Calculate how many threats your SEG is missing
| Attack | What happened |
|---|---|
| The Button Text Was the Weapon: Unicode RTL Obfuscation Inside a DocuSign Lure | Attackers embedded Unicode right-to-left marks directly inside a CTA button label to scatter the string for NLP scanners. |
| The DocuSign Lure That Used Google as a Trust Shield (And Encoded Your Email in the Link) | A DocuSign phishing email hid its harvest domain behind a google.com redirect and encoded the recipient's exact email address into the link as base64. |
| Purchase Order, Please Confirm: How Brevo's Clean Authentication Laundered a SharePoint Lookalike Credential Harvest | An attacker used a recently registered domain routed through the Brevo email platform to send a SharePoint file-share notice. |
| Amazon SES Abuse Delivers Fake DocuPortal+ Notification to a Credential-Harvest Page With a Fake reCAPTCHA | Attackers routed a fake DocuPortal+ document-share notification through Amazon SES, giving it legitimate SPF and DKIM signatures. |
| MSC Brand Impersonation Abuses a Legitimate Open Redirector and Base64-Encodes the Victim's Address for Targeted Tracking | Attackers cloned Mediterranean Shipping Company branding, then funneled victims through a redirect endpoint on a legitimate third-party retail site to... |