The message arrived from a real law firm. The domain was registered in 2012, had been in active use for years, and transited Microsoft's Exchange Online Protection infrastructure with authentication that passed. The sender was not a lookalike. It was not a fresh domain. The mailbox had been compromised, and the attacker was sending from the firm's own address.
The message opened a fabricated litigation scenario: a settlement release requiring review, a deposition scheduled for Friday. Embedded in the thread was a spoofed reply attributed to a State-Farm-impersonating lookalike host, an address designed to look like it came from the insurer. Then came the CTA: verify your identity before accessing the secured files. PIN: 1459. Click the attached PDF below.
There was no PDF attached. There was no external URL anywhere in the message. The "verification UI" was rendered entirely from CID-referenced images and inline visual markup, presenting the appearance of a Microsoft OneDrive access flow from within the message itself.
When a threat actor registers a new domain and begins sending from it, a range of signals are available: registration age, first-time-sender status for the specific organization, absence of any reputation history, DMARC set to p=none with fresh records. Those signals exist because the infrastructure is new.
None of them apply here. The law firm's domain had more than a decade of history. It used a common commercial registrar with ordinary name servers. Its mail was routing through Microsoft's infrastructure, which meant SPF passed through the EOP relay chain. DMARC data was present in the authentication headers. The message looked, at the envelope and relay level, like any other legitimate communication arriving from a professional services firm the recipient had no prior history with.
Thread hijacking attacks rely on precisely this kind of borrowed credibility. By building out a fabricated conversation with multiple named parties, timestamps, case details, and a recognizable brand impersonated in a spoofed reply, the attacker creates context that a recipient processes as real prior activity. The legal pretext adds institutional weight: courts, depositions, and settlement documents carry urgency that a generic invoice or package-delivery lure does not. When the message is also arriving from a real professional domain, the credibility budget is already spent before the recipient reaches the CTA.
The lure asked the recipient to verify their identity using a PIN before accessing a secured file. The verification interface mimicked Microsoft OneDrive's access-gating UI. The PIN, 1459, was provided in the message body, framed as a personalized security credential.
In a working credential-harvest flow of this type, entering the PIN on the fake verification screen submits the victim's actual Microsoft credentials to attacker-controlled infrastructure. Attackers use fake login pages as the harvest point, and this PIN-verified OneDrive UI is a variant of exactly that pattern.
What makes this variant technically notable is that no external URL appeared anywhere in the message that a scanning tool could extract and evaluate. The OneDrive-style verification interface was presented through CID-embedded images (image files referenced by content ID rather than fetched from a remote server) and inline visual markup. A secure email gateway inspecting the message for malicious links found no links. The mechanism for the credential theft was entirely self-contained in the rendered visual layer of the email.
This approach defeats the most common detection path for credential-harvest phishing: URL reputation lookup. If the harvest page is not reachable by URL because it is not hosted at a URL the message body exposes, the lookup never happens. The attacker trades the convenience of a hosted phishing kit for the evasion benefit of having nothing for the scanner to fetch.
SPF passed for this message because it transited Microsoft's Exchange Online Protection infrastructure and the SPF check reflected Microsoft's authorized relay IPs. That result is normal for any mail flowing through EOP. It reflects the relay chain, not the trustworthiness of the originating mailbox.
The DMARC data present in the authentication headers similarly describes what happened in the relay path, not whether the underlying account was legitimate. Authentication passing through EOP is an expected artifact of Microsoft's mail flow. It does not distinguish between a genuine firm correspondent and an attacker who has compromised that firm's Microsoft 365 account and is sending from it.
The sender was marked high-risk not because authentication failed, but because of the combination of first-time-sender status for this recipient, the anomalous message structure, and the behavioral profile of the content: a legal urgency pretext, a fabricated multi-party thread, a verification PIN, and a call to action referencing a State-Farm-impersonating lookalike host embedded in the spoofed reply attribution.
| Type | Indicator | Context |
|---|---|---|
| Domain | The law firm's own domain (compromised) | Aged domain (2012), legitimate registrar; victim infrastructure, not attacker-registered |
| Behavior | State-Farm-impersonating lookalike host in quoted thread | Spoofed reply attribution in the fabricated litigation thread; not printed to avoid indexing |
| Content | PIN 1459 | Verification PIN presented as personalized security credential in OneDrive-style UI |
| Lure | "Settlement Release" PDF (referenced in body) | Named credential-harvest document; no file hash available (not a real attachment) |
| Behavior | OneDrive-style verification UI delivered via CID-embedded images | No external URL; credential-harvest surface rendered entirely inline |
| Auth | SPF pass via Microsoft EOP relay chain | Normal relay artifact; does not validate originating mailbox legitimacy |
| Behavior | First-time sender, high-risk profile, fabricated multi-party legal thread | Behavioral anomaly flags despite clean infrastructure reputation |
A secure email gateway processing this message had a clean sending domain, passing authentication, and no malicious URL to evaluate. The credential harvesting mechanism was invisible to link-scanning because there was no link. The attachment reference in the body pointed to something that did not exist as a real file with a hash. The lure itself (the verification PIN, the OneDrive UI, the spoofed insurer reply) was rendered as visual content rather than structured payload.
IRONSCALES' Adaptive AI (Themis) approaches this class of attack through behavioral and relationship signals rather than artifact reputation. A first-time sender arriving with legal urgency, a multi-party fabricated thread, and a verification-PIN CTA is anomalous on its own. The visual similarity between the embedded inline content and known OneDrive phishing templates adds signal weight.
The FBI IC3 2024 report ranks business email compromise as the highest-loss category by reported dollar amount. Verizon's 2026 Data Breach Investigations Report documents the human element in 62 percent of breaches. An attacker who has already compromised a professional firm's mailbox enters the target's inbox with a trust advantage that URL blocklists were never designed to address.
See Your Risk: Calculate how many threats your SEG is missing
The defense is not a better URL scanner. It is recognizing that a legal pretext plus a verification PIN plus a spoofed insurer reply from a first-time sender is a behavioral fingerprint, independent of whether any individual artifact has a known-bad reputation. The aged domain and the passed authentication were cover. The tell was everything else about the message.
| Attack | What happened |
|---|---|
| A Security Vendor's URL Defense Became the Attacker's Best Disguise | Attackers hijacked a real supplier email thread and weaponized Proofpoint URL Defense to wrap five malicious links in trusted redirect tokens. |
| The DocuSign Button That Pointed at Adobe, and Redirected to an S3 Credential Page | A DocuSign-styled signature request arrived from a compromised European Microsoft 365 mailbox. |
| Cloud Laundering: How Mimecast Redirects Chain to Azure Blob and DigitalOcean Credential Pages | A compromised professional-services account sent a shared-file lure through Mimecast that chained to attacker-hosted Azure Blob Storage and DigitalOcean... |
| Compromised University M365 Account Delivers Thread-Hijacked Email With Malicious QR Shortlink and Suspicious Image Payloads | Attackers abused a compromised Singapore university M365 account to send thread-hijacked emails bearing a malicious QR shortlink and image attachments... |
| The Auth0 Developer Tenant That Passed Every Security Check (Because It Was Real) | An attacker weaponized Auth0's free developer tenant to build a phishing chain that passed DKIM, DMARC, and every link scanner. |