The message looked like routine paperwork. A Microsoft-style notification announced that a firm had "shared a spreadsheet," carried that firm's branding, and offered a single button: "Open Document." The body asked the recipient to review and sign a 2026 contract and finalize it through a payment provider. Nothing about the layout was alarming.
The problem only appears when you line up the three identities the message depends on. The email was authenticated as one company. The branding belonged to a second. The link went to a third. None of them were related, and that, not any single technical indicator, was the entire attack.
The message was sent from the mailbox of a legitimate industrial supplier and passed SPF and DKIM for that supplier's domain, with DMARC resolving to a best-guess pass. It originated from that company's own Exchange server, not a spoofed relay. By every authentication check, the mail genuinely came from the company it claimed in the envelope.
That is the signature of email account compromise. When an attacker operates a real, compromised mailbox, their messages authenticate perfectly because they are, in fact, being sent by that domain. SPF and DKIM confirm where a message came from. They say nothing about whether the account owner wrote it or authorized it, and an attacker sitting inside a legitimate account satisfies both checks without effort.
The body did not present the supplier. It presented a construction consultancy, complete with that firm's name in a "shared a spreadsheet" document-share template. So the message was authenticated as Company A while visually claiming to be Company B.
That split is the core of the impersonation. A recipient reading the branding sees a familiar-looking document request from a named consultancy. The authentication banner, if they check it, confirms a real domain. Neither view reveals that the domain in the headers and the brand in the body are two different organizations.
See Your Risk: Calculate how many threats your SEG is missing
The "Open Document" button did not point to the consultancy, to a signing platform, or to the supplier. It pointed to the website of a third, unrelated company. And here is the part that matters most for defenders: the destination scanned clean. There was no malicious-link verdict to quarantine on.
This is the limit of reputation-based filtering. A scanner evaluates a destination at the moment it looks. A page that is benign at scan time, or that only presents its credential form or payment step after a user interacts with it, returns a clean result. The honest read of the evidence is that the link's destination was unverified rather than confirmed malicious. But a contract-signing request that routes to a company with no relationship to the document, the sender, or the recipient is anomalous regardless of what the scanner returned. The mismatch is the signal; the clean verdict is the reason content-based controls let it through.
Legitimate business correspondence is internally consistent. A signing request from a company comes from that company's domain and links to that company's signing service. This message broke that consistency in three places at once, and it did so using real, authenticated, clean-scanning components. There was no malware, no failed authentication, and no flagged URL for a business email compromise filter to catch on content alone.
IRONSCALES Themis flagged it on relationships instead: a first-time external sender, a sending domain that did not match the brand it displayed, and a call-to-action pointing to an unaffiliated third domain. Those signals are invisible to any control waiting for a malicious payload, and together they were enough to quarantine the message.
Check that the sender, the brand, and the link are the same organization. A document request is only coherent if all three align. When the authenticated domain, the displayed brand, and the link destination name different companies, the message cannot be legitimate no matter how clean each piece looks.
Do not treat a clean link verdict as a clearance. Reputation reflects a destination at scan time. A link to a domain that has no business reason to appear in the message deserves scrutiny even when it scores clean.
Weight first-contact senders that carry someone else's brand. An authenticated but unfamiliar sender presenting a third party's branding is a strong account-compromise-and-impersonation indicator.
The MITRE ATT&CK framework classifies this as Spearphishing Link (T1566.002), with the use of an unrelated firm's brand mapping to Impersonation (T1656). The Verizon DBIR 2025 continues to rank business email compromise among the costliest attack categories, and CISA guidance advises verifying unexpected document and payment requests through a separately confirmed channel.
A real sender, a real brand, a real destination, and not one of them belonging to the same company. The pieces were all authentic. The assembly was the attack.
---
| Type | Indicator | Context |
|---|---|---|
| Authenticated sender | Compromised mailbox at a legitimate industrial supplier | SPF and DKIM pass for the supplier's own domain; sent from its Exchange server |
| Displayed brand | An unrelated construction consultancy | "Shared a spreadsheet" document-share template in the body |
| CTA destination | "Open Document" linked to an unrelated third company's website | Scanned clean; no relationship to the sender, brand, or recipient |
| Lure | Review and sign a 2026 contract, complete via a payment provider | Document-signing and payment-onboarding pretext |
| Detection surface | Sender domain, displayed brand, and link domain name three different companies | Identity mismatch, not a malicious-payload verdict |
| Attack | What happened |
|---|---|
| The Fireflies Meeting Recap That Never Happened: Dual-Brand Impersonation via Amazon SES | A phishing campaign combined Fireflies.ai meeting recap templates with Microsoft Teams branding to target a financial controller. |
| The B2B Content Marketing Email That Borrowed a Brand, a Relay Allow-List, and a Security Vendor's Own URL Wrapper | A polished B2B research report offer used SelectHub branding, passed through an allow-listed mail relay at SCL -1. |
| The Email That Passed Every Security Check (Because Adobe Sent It) | A phishing campaign targeting school district staff used Adobe's own sending infrastructure, real DKIM signatures. |
| The Phishing Infrastructure Was Canva. The Delivery Mechanism Was Canva. The Authentication Was Canva. | An attacker signed up for Canva, built a phishing lure as a design, and used the platform's own sharing feature to deliver it. |
| The Datadog Alert That Came From the Wrong Domain: Authenticated Brand Impersonation With All Links Pointing to Real Infrastructure | A fully authenticated Datadog monitor alert arrived from dtdg.co, not datadoghq.com. |