A senior executive at a cybersecurity company received a Bitcoin extortion demand routed through Mailgun infrastructure, using a recently registered domain that passed composite authentication despite an SPF softfail. The email contained no links, no attachments, and no personalization, yet it landed in a VIP mailbox and required behavioral analysis to catch.
The message arrived from athletes2events[.]com, a domain registered on June 25, 2024, through GoDaddy. The From address used the display name "Nico Rose" with a no-reply sender, a generic persona with no prior relationship to the recipient organization.
Delivery ran through Mailgun relay infrastructure at IP 69[.]72[.]42[.]13, resolving to a Mailgun sending host. The authentication picture was mixed but ultimately permissive. SPF returned softfail because the Mailgun IP was not included in the domain's SPF record. DKIM passed with the signature aligned to athletes2events[.]com, meaning Mailgun signed the message under the sending domain's selector. DMARC returned bestguesspass, and Microsoft's composite authentication resolved to pass with reason code 109 (unauthenticated sender from a domain without a published DMARC record, but aligned DKIM tipped the scale). Microsoft anti-spam scored it SCL 5, categorizing it as spam, but the message still reached the mailbox.
This is a recurring pattern: an attacker configures a domain as a Mailgun sending identity, gets valid DKIM signing, and relies on the DKIM alignment to override an SPF failure in composite scoring. The domain does not need a correctly configured SPF record if the ESP handles DKIM.
The body was a boilerplate sextortion template. Claims of remote device compromise, camera and microphone access, a demand for $12,000 in Bitcoin to a specified wallet address, and a two-day deadline. No victim-specific details. No evidence of actual compromise. The template has circulated in various forms for years, and this instance contained nothing that would distinguish it from thousands of identical campaigns.
A VERP-encoded bounce token in the Return-Path confirmed that the campaign was tracking delivery status per recipient, providing mailbox validation intelligence regardless of whether the target opened the email.
With no URLs to scan and no attachments to detonate, the email presented zero payload surface for traditional secure email gateways to evaluate.
See Your Risk: Calculate how many threats your SEG is missing
Adaptive AI flagged the message at 90% confidence with Extortion and VIP Recipient labels. The detection was not driven by a malicious URL or a signature match. It was driven by the convergence of a first-time sender from a recently registered domain, extortion language patterns in the body, cryptocurrency wallet references, and delivery to a VIP-flagged mailbox. One mailbox was quarantined before the recipient could interact.
Watch for Mailgun-relayed extortion campaigns using DKIM-aligned recently registered domains that produce a passing composite score despite SPF softfail, because the authentication result alone will not stop them.
| Indicator | Type | Context |
|---|---|---|
| athletes2events[.]com | Sending Domain | Registered 2024-06-25 via GoDaddy |
| 69[.]72[.]42[.]13 | Sending IP | Mailgun relay infrastructure |
16XP66VRQLf8JC[...]5JUavK | BTC Wallet | Extortion payment destination |
| e3e6c2e7e7dba01e6d6686a4b30e8278 | Report ID | IRONSCALES case identifier |
| Technique | ID | Use in This Attack |
|---|---|---|
| Phishing | T1566 | Email-delivered extortion demand via Mailgun relay |
| Financial Theft | T1657 | Bitcoin payment demand to attacker-controlled wallet |