The email looked like any other platform notification. Clean branding. Professional layout. A polished logo from a recognized logistics provider sat in the upper-right corner, and the subject line read exactly like the kind of automated alert any warehouse manager or procurement lead would expect from their supply chain tools: your account has been locked due to multiple invalid login attempts.
For the operations manager at a mid-size metals distributor, the message carried weight. The sending domain belonged to one of the world's largest port and logistics operators, a company managing container terminals across six continents. The password reset link pointed to the operator's own logistics platform. And every single authentication check, SPF, DKIM, DMARC, came back clean.
That is exactly what makes this attack dangerous. It was not a spoofed domain or a lookalike. It was the real infrastructure, weaponized.
The email arrived from accounts@crp[.]dpworld[.]com, sent through Amazon Simple Email Service with valid DKIM signatures for both the corporate domain and amazonses[.]com. The message body was minimal and direct: your account is locked, click here to reset your password.
The reset URL, hxxps://accounts[.]cargoes[.]com/forgot-password/WMS, pointed to a legitimate platform associated with the port operator's warehouse management system. Automated link scanners evaluated the destination and returned a clean verdict. The visual branding matched. The HTML pulled a logo image directly from accounts[.]cargoes[.]com, reinforcing the appearance of authenticity.
From the recipient's perspective, there was nothing visibly wrong. No misspelled domains. No grammatical red flags. No suspicious attachment. Just a professional notification from a vendor they recognized, telling them to take immediate action on a locked account.
According to the Verizon 2024 Data Breach Investigations Report, compromised credentials remain the single most common initial access vector, involved in over 40% of breaches. Attacks like this one show exactly why. The credential harvesting page does not need to look suspicious when the entire delivery chain is already trusted.
What separated this from a standard credential phish was the attacker's position inside legitimate infrastructure. The sending IP (54.240.3[.]9) resolved to Amazon SES in eu-west-1, a standard transactional email relay. The Return-Path confirmed SES routing. The DKIM selector (z5ye345velpsdis7tw4icnulpsesjk27) was registered under crp[.]dpworld[.]com, meaning the attacker either compromised the domain's SES configuration or gained access to the notification system that manages it.
This maps to MITRE ATT&CK T1586.002 (Compromise Accounts: Email Accounts) and T1566.002 (Phishing: Spearphishing Link). The attacker did not build new infrastructure. They borrowed existing, trusted infrastructure and turned it against third-party targets.
Buried in the HTML was a detail most recipients would never see: a hidden 1x1 tracking pixel loading from prx3j3k5[.]r[.]eu-west-1[.]awstrack[.]me. This AWS-based tracking beacon fired when the recipient opened the email, confirming to the attacker that the address was active and the message was read. It is a reconnaissance layer, validating targets before escalating the attack.
The HTML also contained a CSS property (pointer-events: none) applied to the visible reset link. This is a subtle manipulation: it can prevent the displayed URL from being directly clickable, forcing users to copy and paste it into a browser. That copy-paste action bypasses certain browser-based link inspection tools that only evaluate hyperlinks on click events.
The FBI IC3 2024 Annual Report documented over $2.9 billion in losses from business email compromise in 2024. Supply chain compromise (where the attack originates from a genuine vendor system) is an accelerating subset of that figure.
Every technical gate gave this email a passing grade. SPF confirmed the sending IP was authorized for eu-west-1.amazonses[.]com. DKIM signatures verified for both crp[.]dpworld[.]com and amazonses[.]com. DMARC returned pass with action=none. Microsoft's own anti-spam scoring assigned an SCL of 1 (low confidence spam) and a BCL of 0. The Forefront report tagged it as CAT:NONE.
Static analysis declared this email clean. And for any organization relying solely on gateway authentication, it would have landed in the inbox without a second look.
See Your Risk: Calculate how many threats your SEG is missing
IRONSCALES Adaptive AI flagged the message as high-risk through behavioral signals that authentication cannot evaluate. The sender, accounts@crp[.]dpworld[.]com, had never communicated with this recipient before. A first-time external sender issuing an urgent credential reset for a platform the recipient's organization may not actively use is a behavioral anomaly, regardless of whether SPF passes.
Community intelligence reinforced the classification. Similar messages from this sender had been reported as phishing across other organizations, building a confidence signal that no single tenant's gateway could generate alone. The email was quarantined within seconds of delivery.
The Microsoft Digital Defense Report 2024 noted that identity-based attacks now outnumber traditional malware delivery. When the attacker already controls a legitimate identity and authenticated infrastructure, the only remaining detection surface is behavioral.
This was not a sloppy phishing attempt. It was a calculated operation using compromised enterprise infrastructure to send authenticated, branded, link-clean credential harvesting emails. Every traditional defense said it was safe.
Three practical takeaways from this case:
Treat authentication as necessary, not sufficient. SPF/DKIM/DMARC verify that a message came from an authorized sender. They do not verify that the authorized sender has not been compromised. Organizations that equate "DMARC pass" with "safe" are operating on an outdated assumption.
First-time sender context matters. An urgent credential reset from a domain that has never emailed your organization is suspicious by definition, even if that domain belongs to a Fortune 500 company. Behavioral AI that tracks sender-recipient relationship history catches what static rules cannot.
Watch for embedded reconnaissance. Hidden tracking pixels, especially from cloud-based tracking services, indicate an attacker who is validating their target list before the next phase. If you spot one in a suspicious email, assume the attacker is building a profile of your organization's responsiveness.
The shift from spoofed infrastructure to compromised infrastructure is not theoretical. It is happening in real incidents, against real companies, every day. The question is whether your email security stack evaluates behavior, or just checks authentication boxes.