When the Safety Wrapper Becomes the Disguise: Brazilian NF-e Phishing via Safe Links Rewrite

The email looked exactly like a routine accounts payable notification. Portuguese-language header, Brazilian invoice number, a total in Brazilian reais, a red "Acessar Documento Fiscal" button. For anyone who processes invoices from Brazilian suppliers, it was unremarkable. That was the point.

What the recipient at a U.S.-based steel and metals manufacturer actually saw when they hovered over that button was a nam12.safelinks.protection.outlook.com URL, Microsoft's own link-protection domain. The mental shortcut most people take is predictable: if Microsoft wrapped it, Microsoft checked it. This attack counted on exactly that assumption.

See Your Risk: Find out how many threats your current email setup is missing

The URL That Was Never in the Email

The original HTML embedded an is.gd shortener link as the CTA destination. is.gd is a free, public URL shortener with no vetting process and an effectively neutral reputation score with most email filters. The attacker's actual landing domain, emissao-br[.]org, appeared nowhere in the delivered email.

When Microsoft Safe Links processed the message in transit, it rewrote the is.gd URL following its standard behavior. The recipient received a fully Microsoft-branded safelinks URL. At click time, that URL would proxy through Microsoft's infrastructure, follow the is.gd redirect, and land on emissao-br[.]org.

The attack chain looked like this:

1. Attacker embeds hxxps://is[.]gd/PQjyJ3#0996615 in email HTML
2. Safe Links rewrites it to hxxps://nam12[.]safelinks[.]protection[.]outlook[.]com/?url=https%3A%2F%2Fis[.]gd%2FPQjyJ3...
3. Recipient sees a Microsoft-branded "protected" link
4. Click resolves is.gd shortener, which redirects to hxxps://emissao-br[.]org/nota-eletronica-emitida/?n=00730264.156604

Safe Links rewrites URLs to enable time-of-click scanning. But the shortener is the hinge point. Safe Links evaluated is.gd/PQjyJ3, not the final destination. The actual malicious domain stayed out of the scanner's view until click time, and the Safe Links wrapper gave the whole chain an air of legitimacy it had not earned.

This is MITRE ATT&CK T1027 (Obfuscated Files or Information) and T1566.002 (Spearphishing Link) working together. The obfuscation is not in a file or payload; it is in the URL architecture itself.

A Domain Born Two Days Before Delivery

emissao-br[.]org was registered on March 21, 2026. The email arrived on March 23, 2026. The domain was 48 hours old when it went live in this campaign.

WHOIS showed Dynadot as the registrar, Cloudflare nameservers (marty.ns.cloudflare.com, tricia.ns.cloudflare.com), and fully privacy-shielded registration with no registrant name, organization, or country. The domain had no email authentication records, no MX, no DMARC policy. It existed purely as a click destination.

The landing page served Brazilian-themed invoice content and prompted the visitor to download or open a PDF. The visual framing mimicked a document portal. No credential form at the surface layer, but the pattern is consistent with a multi-stage credential harvest: get the user to a download prompt, have the PDF contain a secondary redirect or a fake login form styled to match a document viewer.

Cloudflare hosting is standard attacker infrastructure practice. It proxies the real origin server's IP, absorbs DDoS mitigation, and provides HTTPS by default, making the domain look more legitimate to naive scanners. Combined with a two-day-old registration and privacy-shielded WHOIS, the domain had no observable threat history to flag.

Authentication Passed. The Account Was Still the Problem.

The sending domain, magazinepequim[.]com[.]br, is a registered Brazilian retail business, active since 2019. SPF passed, DKIM passed (signed via dkim.uni5.net), DMARC passed. compauth=pass with reason code 100. Microsoft's receiving infrastructure had no technical grounds to reject the message based on authentication alone.

The sender was a first-time contact for this recipient. The risk label on the sender record was high. That combination, authenticated but unknown and flagged, is a classic signal of a compromised account being used to phish targets with no prior relationship to the domain. The sending IP, 191[.]6[.]221[.]38, is part of Uni5's Brazilian SMTP infrastructure, consistent with a legitimate-but-abused Brazilian email hosting environment.

This is MITRE ATT&CK T1078 (Valid Accounts). The attacker did not spoof anything. They used a real account on a real domain that passes every authentication check. According to the Verizon 2024 Data Breach Investigations Report, 68% of breaches involve a human element, and credential theft from compromised accounts is the primary vector feeding into those statistics (Verizon DBIR 2024). When the account is already compromised, authentication gives you false confidence.

The SCL score hit 9, which is the maximum Microsoft spam confidence level. The message was quarantined. But the quarantine happened because of behavioral and heuristic signals, not because authentication flagged anything. A filtering posture that relies on authentication signals alone would have delivered this.

For reference, Secure Email Gateways (SEGs) as a category miss an average of 67.5 phishing emails per 100 mailboxes per month, according to IRONSCALES analysis of 1,921 organizations. Cases like this, where authentication passes cleanly and the malicious URL is hidden behind a shortener, are exactly the type that inflate that number. The IRONSCALES M365 augmentation layer operates post-delivery, analyzing behavioral signals that authentication-layer tools cannot see.

Indicators of Compromise

What This Attack Reveals About Trust Inheritance

The most interesting thing here is not the phishing itself. Invoice lures are common. Compromised sender accounts are common. Short-lived domains are common.

What is notable is how these three elements combine to exploit a specific trust model. The attacker built a chain where each hop borrows legitimacy from the previous one. A real authenticated domain loans credibility to the shortener. The shortener forces Safe Links to rewrite it. The Safe Links rewrite loans Microsoft's brand credibility to the final destination. Each link in the chain is unremarkable in isolation. Together, they manufacture trust.

The FBI IC3 2024 Internet Crime Report recorded over $2.9 billion in Business Email Compromise (BEC) losses, with phishing as the primary initial access vector (FBI IC3 2024). Cross-border lures, particularly those exploiting regional document standards like Brazil's NF-e system, add a layer of confusion for security teams not familiar with the format. An analyst who does not recognize NF-e as a Brazilian electronic invoice standard may not immediately flag Portuguese-language invoice content as suspicious.

The Microsoft Digital Defense Report 2024 notes that attackers are increasingly layering infrastructure specifically to defeat individual security controls, treating each layer of defense as a separate obstacle to route around (Microsoft Digital Defense Report 2024). This attack is a textbook example of that approach.

Themis flagged this via content and community intelligence signals, specifically the malicious link verdict and pattern match against similar community-reported incidents. The quarantine caught it. But the detection relied on post-delivery behavioral analysis, not the authentication chain, and not Safe Links' time-of-click scan returning a clean result for the shortener URL.

For organizations processing invoices from international suppliers, phishing simulation exercises that include multilingual lures and cross-border document formats are increasingly necessary. Security awareness training that only covers English-language phishing leaves a real gap when the threat is arriving in Portuguese, Spanish, or any other language your team may not default to scrutinizing.

The defensive takeaway is direct. For credential harvesting protection, the signal layers that matter are behavioral, not authenticative. A two-day-old domain behind a URL shortener, regardless of what authentication the sending account passes, should trigger additional scrutiny. Automated post-delivery scanning that follows redirect chains to their final destination, rather than stopping at the shortener, closes the specific gap this attack exploits. Safe Links rewriting a shortener URL is not the same as Safe Links checking the destination behind it.