Four Days Old, Fully Authenticated: CEO Coaching International Impersonation Targets a Sports Technology Company

TL;DR Attackers registered ceo-coachinginc.com on March 6, 2026, and sent the campaign on March 10, a four-day infrastructure window. The email claimed to be from Carol Smith, CPA on behalf of CEO Coaching International, the legitimate coaching organization whose name and identity the attacker was impersonating. The email contained a fabricated overdue invoice with a collections-pressure line stating this was the last communication before the matter was referred to a collections agency. SendGrid authenticated the message using a completely different, unrelated sending domain as the DKIM-signing and envelope-from source, creating a domain-mismatch signal detectable through header inspection. The Reply-To address pointed back to the lookalike domain. Themis scored 63% confidence.
Severity: High Invoice Fraud Bec Brand Impersonation MITRE: T1566.001 MITRE: T1534

The domain in the From address was registered four days before this email was sent. The email claimed to be from a CPA representing a coaching organization with a legitimate national presence. The actual authentication infrastructure belonged to a completely different domain with no visible relationship to either party.

Four days. Two mismatched domains. One fabricated overdue invoice with a collections-agency threat. This is how modern invoice fraud works when the attacker has access to a reputable email delivery platform.

Building a Lookalike in Four Days

ceo-coachinginc[.]com was registered on March 6, 2026. The campaign email arrived at a sports-technology company on March 10, 2026. The four-day gap between domain registration and attack execution is a defining characteristic of single-use BEC infrastructure: register, configure, attack, discard.

The target of impersonation was CEO Coaching International, a legitimate coaching organization whose brand and business identity the attacker borrowed to create a plausible vendor relationship. The attacker domain substituted a hyphen and abbreviated "international" to "inc," producing a lookalike that reads similarly to the real brand in a quick visual scan.

The email was signed as coming from "Carol Smith, CPA," a fabricated attacker persona. CPA credentials add a layer of professional authority to an invoice claim: a certified accountant sending an overdue notice implies the invoice has already cleared some level of professional review.

The Authentication Picture: Right Infrastructure, Wrong Domain

The message authenticated fully. SPF passed. DKIM passed. DMARC passed.

But the authenticated domain was not ceo-coachinginc[.]com. The DKIM signing domain was unrelated-sender[.]example, a SendGrid sending domain with no visible relationship to CEO Coaching International or to the attacker's lookalike. The Return-Path (envelope-from) also reflected the SendGrid domain rather than the claimed sender domain.

This is a standard SendGrid account-with-custom-domain configuration: the attacker registered their lookalike domain, created a SendGrid account, and configured ceo-coachinginc[.]com as the display From while the underlying authenticated sending identity remained unrelated-sender[.]example. The result is a message that passes authentication for the wrong domain while the claimed domain is entirely unverified.

DKIM alignment in DMARC policy checks whether the DKIM signing domain matches the From domain. In this case it did not. The DMARC pass result on this message reflects the sending platform's authentication, not domain alignment with the claimed sender. A DMARC-strict enforcement environment that evaluates d= tag alignment against the From domain would have caught the mismatch.

Collections Pressure, Fabricated Threads, and Inconsistent Dates

The email body contained an "overdue" invoice and a statement that this was the final communication before the matter was referred to a collections agency. This pressure framing targets the accounts payable function directly. A finance team that receives a collections threat attached to an invoice they cannot immediately locate in their system faces a choice: pay quickly to avoid escalation, or stop and verify. The attacker's goal is to produce the first outcome.

See Your Risk: Calculate how many threats your SEG is missing

The email body included what appeared to be a prior exchange, presenting the message as part of an ongoing billing conversation. The fabricated thread contained two date references: one from February 5, 2025, and one from February 27, 2026. A 13-month gap between adjacent messages in the same thread is not a normal billing conversation timeline, and the inconsistency is visible to any recipient who reads the prior thread closely rather than scrolling past it.

The Reply-To addresses in the message included carol@ceo-coachinginc[.]com and admin@azur-email[.]com. The second address, on a separate domain entirely, serves as a backup attacker-controlled inbox. If the target replied via either path, the response reached the attacker.

Why the Claimed Executive Name Was Removed

The lure included a reference to a named executive at the recipient organization. This is a common BEC tactic: including the target recipient's reporting manager or an internal executive by name creates an implied internal authorization, suggesting the payment has been discussed at a higher level and the recipient is expected to process it. The name used in this lure belonged to a real individual connected to the sports-technology company. That name has been removed from this writeup per anonymization standards: including it would surface a real executive's identity in connection with a fraud attempt.

Business email compromise attacks that reference named internal executives are statistically more effective because they combine external vendor pressure with implied internal authorization, compressing the verification window even further.

What a 63% Score Means in Context

Themis scored this message at 63% confidence, which is below the threshold that would trigger automatic remediation in most deployment configurations. The domain-mismatch signal was present but the full authentication pass on the underlying ESP infrastructure created ambiguity.

IRONSCALES Adaptive AI combined the 63% behavioral score with the four-day-old domain registration, the authentication domain mismatch, the financial-theme body, and the collections-pressure language to surface the message for analyst review. No single signal was decisive. The convergence of a newly-registered lookalike, an unrelated authenticated domain, a fabricated invoice, and urgency framing was.

The Domain-Age Rule for Financial Email

The Verizon DBIR 2026 reports that pretexting and BEC represent the highest-value social engineering loss category. The MITRE ATT&CK framework classifies attachment-based invoice delivery as T1566.001. CISA advises that all payment requests received via email, including those with apparent collections pressure, require out-of-band confirmation through a known-good number before any funds move.

For security teams, the domain-mismatch between a claimed sender and the authenticated DKIM signing domain is a detectable signal at the header level. Environments that evaluate DMARC with strict alignment checking, verifying that d= matches the From domain, would flag this message before it reached a mailbox.

---

TypeIndicatorContext
Domainceo-coachinginc[.]comAttacker lookalike domain; registered Mar 6, 2026; four days before send
Emailcarol@ceo-coachinginc[.]comAttacker Reply-To address on lookalike domain
Emailadmin@azur-email[.]comSecondary attacker-controlled Reply-To backup address
Domainunrelated-sender[.]exampleActual DKIM-signing and Return-Path domain (SendGrid); unrelated to claimed sender
Auth Resultdkim=pass (d=unrelated-sender.example); dmarc=passAuthentication pass for unrelated domain; not aligned with From domain
Brand ImpersonatedCEO Coaching InternationalLegitimate coaching organization; name used without authorization
Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.

Related attacks

Attack What happened
The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment DiversionA Gmail-authenticated BEC used a typosquat Reply-To domain and a hidden HTML mailto mismatch to impersonate a steel distributor's credit manager.
Past Due Invoice, Future Wire Fraud: How a BEC Campaign Passed Every Authentication CheckA BEC invoice diversion attack impersonated a known vendor contact through SendGrid, passed SPF/DKIM/DMARC.
One Missing Letter, One Stolen Payment: A Reply-To Typosquat That Beat the Spam ScoreA typosquatted Reply-To domain misspelled 'Missouri' as 'Missuori' to intercept invoice payments.
The Graduation Sash Invoice That Every Security Check ApprovedA $3,645 invoice for 55 custom graduation sashes arrived at a school district, sent through Shopify's legitimate email infrastructure.
When the SharePoint Notification Is Real But the Share Is the AttackA file-sharing notification arrived from what looked like a vendor contact.

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.