TL;DR A CEO received an urgent 'Cloud Services Disabled' phishing email where the entire message body was a single clickable area pointing to a zpr.io shortener. The sender domain had no DKIM or DMARC, SPF failed for the originating IP, and the sending host carried a PTR of InfoDomainNonexistent. The only personalization was the recipient's account email address. With no direct link to the credential-harvest page, gateway URL scanners had nothing to evaluate: the shortener concealed the final destination entirely.
Severity: High Credential-Harvesting Whaling Phishing MITRE: T1566.001 MITRE: T1598.003 MITRE: T1656
The email never showed the attacker's landing page. A zpr.io shortener sat between the CEO and wherever the campaign intended to send credentials. That gap (between what the gateway could inspect and what the victim would encounter) was the entire mechanism of this attack.
A company chief executive received an email with the subject line "Cloud Services Disabled." The visible sender was "Cloud-Notify" at a domain that returned no WHOIS data and carried no DKIM record. SPF failed for both the originating IP and the Microsoft-relayed hop in the chain. DMARC was absent. The sending IP, 165.217.135.215, had a PTR record returning InfoDomainNonexistent: no reverse DNS, no hosting organization, no infrastructure identity. The sole personalization in the message was the recipient's own email address displayed as "Account Email," a token that phishing kits insert automatically from a target list and that most gateway filters treat as benign because it matches the intended recipient.
The body presented a professional-looking cloud-storage warning: storage quota exhausted, cloud services suspended, reactivation required. A prominent call-to-action invited the recipient to "click anywhere in this message to restore full access." The entire message body was wrapped in a single hyperlink pointing to hxxps://zpr[.]io/r3HbarffVVfu. No button. No visible URL. No second link. One destination, concealed.
zpr.io as a Scanning Blind Spot
Whaling campaigns increasingly route through URL shorteners for a straightforward reason: the shortener absorbs the scanner's inspection and returns an intermediate page rather than the final payload. A gateway that follows hxxps://zpr[.]io/r3HbarffVVfu encounters the shortener's redirect logic, not a credential-harvest form. Shortener services can apply geographic restrictions, user-agent filtering, or rate limits that cause sandboxed expansion to return a benign page or a redirect loop while a live victim browser proceeds to the landing destination.
zpr.io is a known shortener domain observed in phishing redirect chains. Its presence as the sole CTA in a message targeting a named executive, with no surrounding content that would give a sandbox additional context, represents a deliberate evasion design: reduce the visible attack surface to a single opaque hop.
MITRE ATT&CK T1566.001 (spearphishing via email attachment) describes the delivery class; the redirect pattern maps to T1598.003 (phishing for information via spearphishing link). T1656 (impersonation) applies to the "Cloud-Notify" sender identity and the cloud-services-disruption pretext designed to impersonate internal IT infrastructure alerts.
Authentication Failure at Every Layer
The message produced three independent authentication failures. SPF failed for 165.217.135.215, the originating IP, and also for 2a01:111:f403:e40f::3, a Microsoft outbound protection host that appears later in the relay chain. DKIM was absent entirely: no cryptographic signature was applied to the message. DMARC had no policy configured for the sending domain, meaning even the SPF failures would not trigger a rejection at a DMARC-enforcing receiver.
The relay path did include legitimate Microsoft Exchange infrastructure. SEYPR02CU001.outbound.protection.outlook.com appears as a hop, and ARC headers signed by Microsoft are present. These entries sometimes create false confidence: if the mail transited Microsoft's servers, the thinking goes, it must have passed something. ARC does not work that way. ARC preserves and passes along the authentication chain; it does not vouch for sender legitimacy or validate the identity claim in the From header. The originating IP having no PTR is not explained away by a subsequent Microsoft gateway hop.
The sending hostname thehippiegenie.com, a GoDaddy-registered domain created in 2017 and unrelated to cloud services, appeared in the relay as the HELO identity for 165.217.135.215. The mismatch between the From domain (cnnto1gv.com, no WHOIS, no DKIM), the HELO domain (thehippiegenie.com), and the actual content (cloud services notification) describes a sending configuration assembled from unrelated infrastructure with no coherent identity.
See Your Risk: Calculate how many threats your SEG is missing
Minimal Personalization as a Gateway Bypass Technique
Spear phishing implies targeted personalization. In this campaign, the only personalization was the recipient's email address displayed in the body. That is enough to bypass filters that score messages on whether they contain recipient-specific content (a common heuristic for separating bulk from targeted mail) while requiring no additional research by the attacker.
The executive-role targeting was not derived from the personalization itself but from the selection of this address as a campaign target. The attacker did not need to know the CEO's name, title, or reporting structure. The account email, combined with the cloud-services-disruption pretext and a click-anywhere wrapper, produced a message calibrated to generate an anxious click from someone who depends on cloud access for their role.
Credential harvesting campaigns targeting C-suite accounts represent a specific escalation over general phishing: executive credentials typically grant access to financial systems, board communications, and identity provider consoles that are not available to standard employee accounts. A successful credential theft from this mailbox would position an attacker at a significantly higher privilege level than most phishing campaigns reach.
IRONSCALES detected the combination of authentication failures, a known-shortener sole CTA, VIP recipient targeting, and a cloud-services-disruption pretext from a first-time external sender with no organizational relationship. No single signal was dispositive; the cluster was.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| URL | hxxps://zpr[.]io/r3HbarffVVfu | Sole CTA; URL shortener masking final credential-harvest destination |
| Sender display name | Cloud-Notify | Impersonates internal IT infrastructure alert |
| Sender domain | cnnto1gv[.]com | No WHOIS data; no DKIM; no DMARC; SPF fail |
| HELO domain | thehippiegenie[.]com | GoDaddy-registered 2017; used as HELO identity for sending IP |
| Sending IP | 165.217.135[.]215 | PTR: InfoDomainNonexistent; SPF fail; no reverse DNS |
| Auth result | SPF=fail, DKIM=none, DMARC=none | compauth=fail reason=001 |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
