TL;DR A credential-harvest campaign sent a OneDrive/SharePoint 'Purchase Order' file-share notice from a recently registered domain via Brevo, a legitimate email service provider. Because Brevo signed and delivered the message, SPF, DKIM, and DMARC all passed with composite authentication. Every visible link in the message resolved to a real Brevo tracking endpoint, clean on scan. Following any of those redirects led to a freshly registered domain with a 60-character obfuscated hostname crafted to read like a tenant SharePoint URL. The sender domain was attacker-registered with privacy protection. The authentication result was entirely Brevo's, not the sender's.
Severity: High Phishing Credential Harvesting Esp Abuse MITRE: T1566.002 MITRE: T1583.001 MITRE: T1598.003
The subject line was direct: a purchase order, a specific reference number, a request to open and confirm receipt. The body rendered the OneDrive/SharePoint file-share interface: the Microsoft-styled header, the sender name, the document title, the blue "Open" button. The footer looked like a real platform notification.
Every link in the message resolved to a Brevo tracking domain. SPF passed. DKIM passed. DMARC passed. Composite authentication was clean.
The destination behind those Brevo redirects was a domain registered weeks earlier, with a 60-character hostname assembled to look like a SharePoint tenant URL without being one.
The sending domain was new and the authentication was borrowed
The sender address used a domain registered recently with privacy-shielded WHOIS and Cloudflare name servers. The registrant details were not populated. The domain had no established sending history and no prior relationship with the recipient organization. It was, by every public-record measure, a freshly built infrastructure piece.
None of that shows up in the authentication result, because the authentication result was Brevo's.
The message relayed through hb.d.sender-sib.com, a Brevo sending IP. Brevo signed the message with a DKIM key under the sender domain using a Brevo selector, and Brevo's IPs are included in the sender domain's SPF record. The DMARC check passed because the domain and the signing key aligned. Every header that an email scanner checks for authentication quality came back green.
This is ESP abuse: using a legitimate email service provider's infrastructure to launder authentication for a campaign the provider has not knowingly approved. The attacker did not need to build mail infrastructure. They signed up for Brevo, configured the new domain as a sending identity, and inherited Brevo's deliverability and authentication standing.
The authentication checks confirmed that Brevo was authorized to send for that domain. They said nothing about whether the domain was trustworthy, whether the sender was legitimate, or where the links would take a recipient.
What the Brevo tracking URLs were hiding
The message contained multiple actionable purchase-order links. Each one was a Brevo tracking endpoint -- a URL under Brevo's own redirect infrastructure, designed to log click events before forwarding the recipient onward. Individually, those endpoints resolve to a recognized, high-reputation domain. Scanned at the Brevo URL, they return clean.
The forwarding destination was aee40e8ce13zb4dc1b5cateammeetingmiccrzott[.]com.
That domain was registered within weeks of the campaign through a privacy-friendly registrar. The hostname is 60 characters of hex segments and keyword fragments -- "team meeting," "micc," approximate-SharePoint-style strings -- assembled to produce something that, read quickly, patterns as a tenant SharePoint URL. Legitimate SharePoint addresses follow the format company-name.sharepoint.com. This domain is not that. The length alone, independent of any threat-intel feed, marks it as generated rather than named.
A scanner evaluating the Brevo tracking URL returns clean. A scanner that follows the redirect to the final domain encounters a freshly registered, privacy-shielded, obfuscated host with no reputation history. The clean verdict on the visible link is structurally disconnected from the risk at the destination.
The landing page was built to harvest credentials
The redirect chain terminated at an HTML landing page designed to imitate a SharePoint document portal. The page embedded a fabricated tenant string in its URL structure to suggest organizational context. Recipients arriving at the page would see a familiar SharePoint-style interface and be prompted to enter credentials to view the purchase order document.
This is the fake login pages technique in a business-document wrapper. The purchase order pretext sets urgency and organizational plausibility: a supplier has shared a document, confirmation is required, the deadline is implicit. The recipient is not asked to do anything unusual. They are asked to do exactly what they would do with a real SharePoint notification.
The credential harvesting payload here is the landing page behind the obfuscated domain. Once the victim authenticates, those credentials are transmitted to attacker infrastructure. The Microsoft visual layer -- both in the email body and on the landing page -- exists to prevent the moment of hesitation before the login form is submitted.
The signals that survived the clean authentication result
Brevo's authentication guarantee made the sender-domain signals more important, not less. A recently registered domain, privacy-shielded registration, first-time sender status, no prior correspondence with the recipient organization, a display name asserting an identity with no verifiable public record against the sending domain -- these are the evaluation surface when authentication passes but provenance is still unknown.
The body itself carried low-quality content signals: duplicated HTML blocks, a misspelled job title in the sender's attribution, awkward punctuation, generic greeting without recipient personalization. A purchase order notification from an established supplier relationship typically carries consistent formatting, a known contact, and prior correspondence history. None of that was present.
The tracking pixel embedded in the HTML -- a single-pixel image request -- was a separate signal: confirmation of recipient engagement, used to validate active mailboxes for downstream targeting.
Indicators of compromise
| Type | Indicator | Context |
|---|
| Domain | nrwindustries[.]com | Attacker sending domain, recently registered, privacy-shielded, Brevo-signed |
| Domain | aee40e8ce13zb4dc1b5cateammeetingmiccrzott[.]com | Payload domain, freshly registered, 60-character obfuscated SharePoint-lookalike hostname |
| Infrastructure | hb.d.sender-sib[.]com (Brevo) | ESP relay; SPF/DKIM/DMARC pass through Brevo's infrastructure |
| Behavior | Brevo tracking URLs as the visible link layer | All actionable links appear to belong to Brevo; redirect destination is the attacker domain |
| Behavior | 1x1 tracking pixel | Recipient mailbox confirmation |
| Behavior | Duplicated HTML blocks, misspelled job title | Template/mass-mailing generation artifacts |
What actually caught it
Authentication passed at every layer. Visible links were clean Brevo endpoints. The email rendered a convincing SharePoint notification. What flagged it was the combination of a newly registered sender domain with no organizational footprint, body-content quality consistent with templated mass-mailing, a redirect destination that resolved to a freshly created obfuscated domain, and behavioral signals including a tracking pixel. No single layer caught it alone. The sender-domain evaluation -- independent of what Brevo's authentication record said -- was the starting point.
Verizon's 2026 Data Breach Investigations Report identifies phishing as a persistent initial-access vector. The FBI IC3 2024 report documents credential theft as the foundation for subsequent fraud and account takeover. Microsoft's 2024 Digital Defense Report specifically tracks ESP-abusing campaigns that use legitimate sending infrastructure to achieve authentication-clean delivery of credential-harvest lures. CISA's phishing guidance remains consistent: do not click links in unexpected file-share or document notifications without verifying through a separate channel.
See Your Risk: Calculate how many threats your SEG is missing
A secure email gateway evaluating authentication headers sees a clean result. It evaluates the Brevo links and sees a clean result. The attacker structured the message so that every surface a gateway inspects passes, and the malicious destination is one redirect hop away from the inspection layer. The defense is not faster scanning -- it is evaluating sender-domain provenance separately from what the ESP's authentication record says.
Brevo did not make this email safe. It made it look safe.
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
