The email arrived at 7:51 PM on a Wednesday evening. To the HR team at a mid-size cybersecurity company, it looked like a routine request from the CEO. A short, polite message. No attachment. No link. Just a name they recognized and a question about updating bank details before the next payroll run.
The display name read "Eyal Benishti." The real Eyal Benishti is the CEO of IRONSCALES, one of the most recognized names in email security. The attacker knew exactly who to impersonate and exactly who to target.
Here is what the recipient saw: a three-sentence message asking when they could submit new bank information. A thank-you line. A signature block with just a name. No corporate title, no phone number, no internal employee ID, no link to an HR portal.
That absence was the entire strategy.
Traditional email security tools scan for malicious URLs, suspicious attachments, and known-bad sender reputations. This email contained none of those things. There was literally nothing for a content scanner to flag. According to the FBI's 2024 Internet Crime Report, BEC attacks accounted for $2.9 billion in reported losses that year, and the most effective BEC campaigns are the ones that carry zero technical indicators.
The subject line read: "Request to Update Bank Details for Salary Payment." Professional. Specific. Urgent enough to warrant a quick response, but not so urgent that it would trigger suspicion.
The attacker sent this email through Mailjet, a well-known email service provider used by thousands of legitimate businesses. The sending domain was mycomparateur[.]fr, a French commercial domain registered through OVH in 2015. Here is where it gets interesting: WHOIS records show that domain's registration expired on March 10, 2026. The email was sent on April 1, 2026, three weeks after expiration. Whether the attacker acquired a lapsed domain or exploited a grace-period window, the result was the same.
Because Mailjet was configured as an authorized sender for mycomparateur[.]fr, every authentication check passed. SPF: pass. DKIM: pass (signature verified against d=mycomparateur[.]fr). DMARC: bestguesspass. Microsoft's own Composite Authentication returned compauth=pass.
The Verizon 2024 Data Breach Investigations Report found that pretexting (the social engineering technique behind BEC) was involved in 25% of all breaches. What makes ESP laundering so effective is that it exploits the trust model authentication was designed to create. SPF and DKIM answer one question: "Did this email come from infrastructure authorized by this domain?" They do not answer: "Is the person behind this domain who they claim to be?"
That distinction is the gap attackers walk through.
The attacker set the From address to contact@mycomparateur[.]fr but the Reply-To header pointed somewhere else entirely: mail@exceeo[.]com. If the HR team had replied, their response (potentially containing actual bank routing procedures or follow-up instructions) would have landed in a mailbox the attacker controlled on a completely different domain.
WHOIS records for exceeo[.]com tell a clear story. The domain was registered on February 17, 2026, just 43 days before the attack. The registrar was Dynadot. No organization name. No registrant details. A domain created for this purpose and this purpose alone.
This is MITRE ATT&CK T1656 (Impersonation) combined with T1586 (Compromise Accounts), the attacker using legitimate infrastructure to lend credibility to a fabricated identity. The display name matched the real CEO. The authentication passed. The only thing connecting this email to its true origin was a Reply-To header that most email clients don't prominently display.
See Your Risk: Calculate how many threats your SEG is missing
Themis, the IRONSCALES Adaptive AI engine, flagged this email at 90% confidence within seconds of delivery. Three signals converged.
First, the display name "Eyal Benishti" matched a VIP in the organization's executive directory, but the sending address (contact@mycomparateur[.]fr) had never been associated with that identity. This is exact display name impersonation, and Themis maintains a behavioral fingerprint for every known sender in an organization.
Second, community intelligence from over 35,000 security professionals across the IRONSCALES network had already flagged similar patterns. ESP-laundered BEC attempts using Mailjet infrastructure had been reported and resolved as phishing by other organizations in the weeks prior. That shared intelligence raised the confidence score before any single-tenant analysis was complete.
Third, the Reply-To mismatch. The From domain and Reply-To domain had no relationship to each other or to the impersonated executive's actual email address. Behavioral analysis doesn't just check whether authentication passes. It checks whether the sender's claimed identity is consistent with every signal in the message.
The email was distributed to four mailboxes. All four copies were quarantined within five seconds. The incident was automatically classified as phishing. No human had to intervene.
According to Microsoft's 2024 Digital Defense Report, BEC attacks have become the most financially damaging category of cybercrime, with attackers increasingly exploiting legitimate cloud services to bypass traditional defenses. This case is a textbook example.
This attack carried no malicious URL, no weaponized attachment, no credential harvesting form. Every conventional scanning technology would have given it a clean bill of health. And every authentication protocol did exactly that.
The CISA phishing guidance emphasizes verifying unexpected requests through a separate communication channel. That's good advice. But it assumes the recipient recognizes the request as unexpected in the first place. When the CEO's name is in the From field and every authentication badge shows green, "unexpected" doesn't register.
Three things made this attack possible, and three things should change in response.
ESP-laundered identity is the new spoofing. DMARC alignment alone cannot distinguish a CEO's real email from an attacker's ESP account using the CEO's display name. Organizations need detection that compares behavioral identity (who does this person normally email, from which infrastructure, at what cadence) against the claimed identity in real time.
Reply-To diversion is invisible by default. Most email clients suppress or de-emphasize the Reply-To header. Security teams should configure detection rules that flag messages where the Reply-To domain differs from the From domain, especially on messages referencing financial actions.
Zero-payload BEC is the hardest attack to catch and the most expensive to miss. There is nothing to detonate in a sandbox, nothing to scan with a URL reputation engine, nothing to match against a threat signature. The only reliable detection surface is behavioral: does this message match the real communication patterns of the person it claims to be from?
| Type | Indicator | Context |
|---|---|---|
| Sender Email | contact@mycomparateur[.]fr | From address, Mailjet ESP |
| Reply-To Email | mail@exceeo[.]com | Attacker-controlled reply diversion |
| Sending Domain | mycomparateur[.]fr | OVH-registered, expired Mar 10 2026 |
| Reply-To Domain | exceeo[.]com | Registered Feb 17 2026 (43 days pre-attack), Dynadot |
| Sending IP | 185[.]250[.]237[.]20 | Mailjet infrastructure, GeoIP: United Kingdom |
| ESP Relay | o20[.]p38[.]mailjet[.]com | Mailjet outbound relay |
| Return-Path | a1499685[.]bnc3[.]mailjet[.]com | Mailjet bounce address |
| Tracking Domain | xrv3t[.]mjt[.]lu | Mailjet click/open tracking subdomain |