A permit payment notification landed in an employee's inbox at a regional telecommunications company. The subject line was simple: "Permit Ready for Payment." The email identified a specific permit number, a specific street address, and included a single blue hyperlink labeled "Make a Payment." It came from a municipal software vendor's authenticated infrastructure. SPF passed. DKIM passed. DMARC passed with a compauth score of 100.
The payment link pointed to the vendor's own portal, a domain registered in 2003 with over two decades of clean reputation history. No attacker-controlled infrastructure appeared anywhere in the message. Not in the headers, not in the body, not in the link.
This is what payment fraud looks like when every technical signal cooperates with the attacker.
The email arrived from noreply@bsacloud[.]com with a display name referencing a city community development department. The Return-Path was bounces+19088937-8ff1-[recipient]=em4443.bsacloud[.]com, a VERP (Variable Envelope Return-Path) format consistent with SendGrid-based transactional email infrastructure.
The authentication chain was flawless:
149[.]72[.]188[.]197 is authorized for em4443.bsacloud[.]com.s1._domainkey.bsacloud[.]com (RSA-SHA256, relaxed/relaxed canonicalization).The sending domain, bsacloud[.]com, was registered in April 2018 through Cloudflare. The payment portal domain, bsaonline[.]com, was registered in November 2003. Both are legitimate domains belonging to a municipal software vendor that serves city and county governments across the United States. WHOIS registrant state for both: Michigan.
This is not a case of a spoofed sender or a lookalike domain. The email was genuinely sent from the vendor's own infrastructure.
The email body was minimal, direct, and transactional:
> Your permit is ready for payment. Please click the link below to pay. > > Address: [Street Address] > Permit Number: [Permit ID] > > Make a Payment
A contact email at the municipality's .gov domain was provided for questions. The external email caution banner displayed correctly, confirming the message originated outside the recipient's organization.
This level of personalization, with a real permit number and a real physical address, is what separates targeted payment fraud from generic phishing blasts. The recipient sees details that match a plausible government transaction. The natural response is to click and pay.
The FBI IC3 2024 report documented $2.9 billion in business email compromise losses. Payment diversion, where an attacker redirects a legitimate-looking payment to a fraudulent destination, accounted for a significant share. When the payment request arrives through authenticated vendor infrastructure with personalized details, the social engineering is nearly invisible.
See Your Risk: Calculate how many threats your SEG is missing
The single embedded link pointed to:
hxxps://bsaonline[.]com/CD_OnlinePayment/PayRecord?PaymentApplicationType=7&recordKey=412&recordKeyType=3&uid=3215
This is the vendor's legitimate municipal payment portal. The link screenshot captured during analysis showed a real payment sign-in page with guest checkout and existing user login options, branded for the referenced municipality. The domain has 22 years of registration history and a clean reputation.
URL scanners returned a clean verdict. They will always return a clean verdict for this domain. The domain is not malicious. The question is whether the payment record referenced by recordKey=412 and uid=3215 represents a legitimate transaction or a fraudulent one. No URL scanner evaluates that distinction.
This maps directly to the structural limitation the Microsoft Digital Defense Report 2024 identifies: authentication and reputation systems verify infrastructure, not intent. When attackers operate through legitimate infrastructure (whether compromised or abused), those systems have nothing to flag.
The IRONSCALES Adaptive AI engine assigned this email a 72% confidence score, flagging it based on language patterns and structural characteristics consistent with phishing. The specific behavioral signals that triggered detection:
First-time external sender. The noreply@bsacloud[.]com address had never previously sent email to this organization. For a vendor payment request, first contact via an unauthenticated channel is a risk signal.
Third-party vendor representing a municipality. The display name referenced a city government, but the From address and authentication domains belonged to a software vendor. This vendor-as-intermediary pattern is normal for municipal payments, which also makes it an ideal structure for attackers to exploit.
Contextual mismatch. A telecommunications company receiving a city building permit payment request represents a sender-recipient relationship that does not align with typical business context. Behavioral detection engines that track organizational communication patterns can identify this mismatch even when every technical indicator is clean.
The incident was initially classified as a false positive (the email may have been a legitimate vendor notification sent to the wrong recipient), but the detection decision itself was correct. Whether this specific email was malicious or misdirected, the behavioral approach that flagged it is the only layer capable of catching authenticated vendor payment fraud at scale.
This case maps to MITRE ATT&CK T1566.002 (Phishing: Spearphishing Link) for the payment link delivery mechanism, T1598.003 (Phishing for Information: Spearphishing Link) for the credential harvesting potential of the payment portal, and T1585.002 (Establish Accounts: Email Accounts) for the vendor infrastructure abuse vector.
According to Gartner's 2024 analysis of email security, organizations increasingly face threats that bypass traditional email authentication controls. The Verizon DBIR 2024 confirms that pretexting (social engineering through fabricated scenarios) now appears in 25% of breaches, and financial pretexting, including payment requests, is the fastest growing category.
| Type | Indicator | Context |
|---|---|---|
| Sender Email | noreply@bsacloud[.]com | Vendor transactional sender (authenticated) |
| Return-Path | bounces+19088937-8ff1-[recipient]=em4443.bsacloud[.]com | VERP bounce address via SendGrid |
| Sending IP | 149[.]72[.]188[.]197 | o1.ptr4479.bsacloud[.]com (SPF authorized) |
| SMTP Host | o1.ptr4479.bsacloud[.]com | SendGrid-managed outbound |
| Payment URL | hxxps://bsaonline[.]com/CD_OnlinePayment/PayRecord?PaymentApplicationType=7&recordKey=412&recordKeyType=3&uid=3215 | Legitimate vendor payment portal |
| DKIM Selector | s1._domainkey.bsacloud[.]com | RSA-SHA256, relaxed/relaxed |
| Display Name | "[Municipality] - Community Development" | City government impersonation via vendor display name |
| Auth Result | compauth=100, SPF=pass, DKIM=pass, DMARC=pass | Full authentication pass |
| Contact Shown | [contact]@[municipality].gov | Municipal .gov contact in body |
| SCL | 1 | Microsoft spam confidence: lowest non-zero |