The invoice download links pointed to app[.]clio[.]com. Every scanner that reached a verdict returned clean. SPF, DKIM, and DMARC all passed. The sending domain has been registered since 1998. There was no attacker-controlled infrastructure anywhere in the message.
The attacker did not need any. The entire attack surface was a legitimate legal practice-management SaaS, a fabricated vendor name, and a long forwarded corporate thread appended to simulate a business relationship that did not exist.
Clio is a practice-management platform used by law firms for billing, case management, and client communication. Its app[.]clio[.]com domain is recognized infrastructure with established reputation in every URL-reputation feed. When a phishing actor creates or compromises a Clio account and generates a payment receipt, the download links that email produces are indistinguishable at the domain level from any legitimate Clio invoice delivery.
MITRE ATT&CK T1583.006 covers the acquisition of web services -- including legitimate SaaS platforms -- as attack infrastructure. The technique is operationally effective because the hosting domain carries real reputation, TLS certificates from the platform provider, and HTTP 200 responses that sandbox analyses treat as clean.
The download buttons in this invoice linked to three app[.]clio[.]com URLs. Each carried HMAC tokens in the query string -- per-recipient, time-limited access controls that are standard in legitimate Clio billing workflows. Two links returned clean verdicts with captured screenshots. Two others were still processing at analysis time. None returned a malicious verdict.
The invoice receipt named the billing party as "Law Alliance LLC." No authoritative public record verified this entity as an existing legal services firm. The name is generic enough to pass a casual lookup and specific enough to suggest a professional services relationship.
The impersonation mechanism here is not brand spoofing -- no recognizable law firm name was used. Instead, the attack creates a fictional vendor identity that a recipient cannot easily disprove. "Law Alliance LLC" is not a name that triggers an obvious red flag the way "Amazon Legal Department" might. It occupies a middle ground: plausible, unnamed, unverifiable.
The receipt template contained grammar and formatting errors including "an payment balance" and "Total amount P aid" -- a split word with a mid-phrase space. Professional billing platforms do not produce these artifacts. Legitimate Clio invoices generated by a configured law firm account would not contain these errors. The errors are consistent with an attacker who manually assembled or modified a receipt template without native-language review.
MITRE ATT&CK T1566.002 (spearphishing link) covers the download-link delivery. T1656 (impersonation) applies to both the vendor identity fabrication and the use of a legitimate platform to impersonate an entity with an established billing relationship.
See Your Risk: Calculate how many threats your SEG is missing
Below the invoice receipt, the message carried a long forwarded email thread from a real industrial organization. The thread contained references to meeting coordination, facility logistics, and Webex meeting links -- all consistent with legitimate corporate correspondence. The forwarded content included references to the organization's address and internal contacts.
This appended thread is a deliberate social-engineering element. A recipient who scrolls past the invoice CTA encounters what looks like a prior business exchange between the two parties. The implicit message is that this invoice is part of an ongoing engagement, not an unsolicited demand. For accounts-payable staff who process payments from vendors they did not personally onboard, the presence of prior correspondence -- even forwarded and abbreviated -- reduces the likelihood of a verification call.
The industrial organization whose content appeared in the appended thread is not implicated in the attack. Its correspondence was incorporated without its knowledge or consent. Its references have been fully anonymized here.
The sender domain has been registered since 1998 through a European registrar. Its authentication posture is complete: SPF passes on the sending IP via Microsoft Exchange Online Protection, DKIM passes on the sending domain's selector, and DMARC passes at p=none. The relay path moved through Microsoft's outbound protection gateway into Google's inbound MX infrastructure. All authentication mechanics are consistent with a legitimate M365 tenant sending to a Google Workspace environment.
The sender was a first-time external contact to the recipient. Incident metadata rated sender risk as high based on that first-contact profile combined with the invoice-and-download content pattern and the unverifiable vendor name. No authentication failure contributed to the phishing verdict.
ESP abuse in this context refers not to a traditional email service provider but to a SaaS billing platform used as a sending vehicle. The structural problem is identical: a legitimate platform's reputation launders attacker-generated content through domains and infrastructure that reputation feeds trust.
IRONSCALES flagged the combination of signals: first-time external sender with high risk rating, invoice-and-download content pattern, unverifiable billing entity, grammar indicators inconsistent with the claimed platform, and an appended thread from an unrelated organization used to manufacture prior-relationship legitimacy.
No attacker domain appeared in this message. Every external link resolved to a recognized SaaS platform or to real corporate infrastructure. The attack is designed to produce exactly that outcome -- a message that, at the domain and authentication layer, looks indistinguishable from a legitimate legal billing notification.
| Type | Indicator | Context |
|---|---|---|
| Download links | hxxps://app[.]clio[.]com/[HMAC-tokenized paths] | Three per-recipient time-limited download links; scanner verdicts clean or scanning; legitimate SaaS platform abused for delivery |
| Billing entity | Law Alliance LLC | Unverifiable vendor name; no authoritative public registration found; used in invoice header |
| Sender domain | Established European domain (1998 registration, GANDI SAS), name withheld | SPF pass; DKIM pass; DMARC p=none; first-time sender; possible account compromise |
| Body anomalies | "an payment balance"; "Total amount P aid" | Grammar errors inconsistent with legitimate Clio billing output; template assembly artifact |
| Appended thread | Forwarded multi-message corporate correspondence (real industrial organization, anonymized) | Fabricated prior-relationship signal; no involvement by the referenced organization |
| Attack | What happened |
|---|---|
| SPF PermError Turned a Malformed Domain into an Invoice Fraud Launchpad | An attacker exploited a malformed SPF record that returned PermError instead of pass or fail, paired with a same-day-registered Reply-To domain. |
| HelloSign's Reputation, Attacker's Domain: How a 9-Day-Old HR Portal Hijacked a Trusted E-Signature Platform | Attackers registered filesignportal.com nine days before using HelloSign to deliver a fake HR payroll e-signature request. |
| Procom Background Check Lure Delivers Zero-Width Obfuscation and a Malicious CTA via Amazon SES | Attackers cloned Procom staffing branding and delivered a procurement/background-check lure through Amazon SES. |
| Three Domains, One Invoice: The Payment Diversion That Authenticated Itself Through the Wrong Organization | A past due invoice email passed SPF, DKIM, and DMARC while impersonating a contact at a clinical research firm. |
| "HubSpot Team" from Someone Else's Domain: SES Authentication as a Phishing Shield | Attackers spoofed HubSpot from a personal marketing domain via Amazon SES, passing full SPF/DKIM/DMARC. |