The domain in the From address was registered four days before this email was sent. The email claimed to be from a CPA representing a coaching organization with a legitimate national presence. The actual authentication infrastructure belonged to a completely different domain with no visible relationship to either party.
Four days. Two mismatched domains. One fabricated overdue invoice with a collections-agency threat. This is how modern invoice fraud works when the attacker has access to a reputable email delivery platform.
ceo-coachinginc[.]com was registered on March 6, 2026. The campaign email arrived at a sports-technology company on March 10, 2026. The four-day gap between domain registration and attack execution is a defining characteristic of single-use BEC infrastructure: register, configure, attack, discard.
The target of impersonation was CEO Coaching International, a legitimate coaching organization whose brand and business identity the attacker borrowed to create a plausible vendor relationship. The attacker domain substituted a hyphen and abbreviated "international" to "inc," producing a lookalike that reads similarly to the real brand in a quick visual scan.
The email was signed as coming from "Carol Smith, CPA," a fabricated attacker persona. CPA credentials add a layer of professional authority to an invoice claim: a certified accountant sending an overdue notice implies the invoice has already cleared some level of professional review.
The message authenticated fully. SPF passed. DKIM passed. DMARC passed.
But the authenticated domain was not ceo-coachinginc[.]com. The DKIM signing domain was unrelated-sender[.]example, a SendGrid sending domain with no visible relationship to CEO Coaching International or to the attacker's lookalike. The Return-Path (envelope-from) also reflected the SendGrid domain rather than the claimed sender domain.
This is a standard SendGrid account-with-custom-domain configuration: the attacker registered their lookalike domain, created a SendGrid account, and configured ceo-coachinginc[.]com as the display From while the underlying authenticated sending identity remained unrelated-sender[.]example. The result is a message that passes authentication for the wrong domain while the claimed domain is entirely unverified.
DKIM alignment in DMARC policy checks whether the DKIM signing domain matches the From domain. In this case it did not. The DMARC pass result on this message reflects the sending platform's authentication, not domain alignment with the claimed sender. A DMARC-strict enforcement environment that evaluates d= tag alignment against the From domain would have caught the mismatch.
The email body contained an "overdue" invoice and a statement that this was the final communication before the matter was referred to a collections agency. This pressure framing targets the accounts payable function directly. A finance team that receives a collections threat attached to an invoice they cannot immediately locate in their system faces a choice: pay quickly to avoid escalation, or stop and verify. The attacker's goal is to produce the first outcome.
See Your Risk: Calculate how many threats your SEG is missing
The email body included what appeared to be a prior exchange, presenting the message as part of an ongoing billing conversation. The fabricated thread contained two date references: one from February 5, 2025, and one from February 27, 2026. A 13-month gap between adjacent messages in the same thread is not a normal billing conversation timeline, and the inconsistency is visible to any recipient who reads the prior thread closely rather than scrolling past it.
The Reply-To addresses in the message included carol@ceo-coachinginc[.]com and admin@azur-email[.]com. The second address, on a separate domain entirely, serves as a backup attacker-controlled inbox. If the target replied via either path, the response reached the attacker.
The lure included a reference to a named executive at the recipient organization. This is a common BEC tactic: including the target recipient's reporting manager or an internal executive by name creates an implied internal authorization, suggesting the payment has been discussed at a higher level and the recipient is expected to process it. The name used in this lure belonged to a real individual connected to the sports-technology company. That name has been removed from this writeup per anonymization standards: including it would surface a real executive's identity in connection with a fraud attempt.
Business email compromise attacks that reference named internal executives are statistically more effective because they combine external vendor pressure with implied internal authorization, compressing the verification window even further.
Themis scored this message at 63% confidence, which is below the threshold that would trigger automatic remediation in most deployment configurations. The domain-mismatch signal was present but the full authentication pass on the underlying ESP infrastructure created ambiguity.
IRONSCALES Adaptive AI combined the 63% behavioral score with the four-day-old domain registration, the authentication domain mismatch, the financial-theme body, and the collections-pressure language to surface the message for analyst review. No single signal was decisive. The convergence of a newly-registered lookalike, an unrelated authenticated domain, a fabricated invoice, and urgency framing was.
The Verizon DBIR 2026 reports that pretexting and BEC represent the highest-value social engineering loss category. The MITRE ATT&CK framework classifies attachment-based invoice delivery as T1566.001. CISA advises that all payment requests received via email, including those with apparent collections pressure, require out-of-band confirmation through a known-good number before any funds move.
For security teams, the domain-mismatch between a claimed sender and the authenticated DKIM signing domain is a detectable signal at the header level. Environments that evaluate DMARC with strict alignment checking, verifying that d= matches the From domain, would flag this message before it reached a mailbox.
---
| Type | Indicator | Context |
|---|---|---|
| Domain | ceo-coachinginc[.]com | Attacker lookalike domain; registered Mar 6, 2026; four days before send |
carol@ceo-coachinginc[.]com | Attacker Reply-To address on lookalike domain | |
admin@azur-email[.]com | Secondary attacker-controlled Reply-To backup address | |
| Domain | unrelated-sender[.]example | Actual DKIM-signing and Return-Path domain (SendGrid); unrelated to claimed sender |
| Auth Result | dkim=pass (d=unrelated-sender.example); dmarc=pass | Authentication pass for unrelated domain; not aligned with From domain |
| Brand Impersonated | CEO Coaching International | Legitimate coaching organization; name used without authorization |
| Attack | What happened |
|---|---|
| The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion | A Gmail-authenticated BEC used a typosquat Reply-To domain and a hidden HTML mailto mismatch to impersonate a steel distributor's credit manager. |
| Past Due Invoice, Future Wire Fraud: How a BEC Campaign Passed Every Authentication Check | A BEC invoice diversion attack impersonated a known vendor contact through SendGrid, passed SPF/DKIM/DMARC. |
| One Missing Letter, One Stolen Payment: A Reply-To Typosquat That Beat the Spam Score | A typosquatted Reply-To domain misspelled 'Missouri' as 'Missuori' to intercept invoice payments. |
| The Graduation Sash Invoice That Every Security Check Approved | A $3,645 invoice for 55 custom graduation sashes arrived at a school district, sent through Shopify's legitimate email infrastructure. |
| When the SharePoint Notification Is Real But the Share Is the Attack | A file-sharing notification arrived from what looked like a vendor contact. |