The Tooltip Said Coupa. The Link Said Genesis Cleaning. Only One of Them Was Real.

Hover over the "Review Document" button, and the tooltip reads supplier[.]coupahost[.]com/invoices. That is a legitimate Coupa procurement portal URL, the kind of link that finance teams click dozens of times per month. Click the button, and the browser goes to access[.]genesiscleaningusa[.]com/workspace/ instead.

The tooltip was a lie. The href was the truth. And both URLs were scanned and declared clean.

A Law Firm With Full Authentication

The email arrived from t.manzoor@hhslawyer[.]ae, a UAE law firm domain. SPF passed. DKIM passed. DMARC passed. The sending infrastructure routed through Google, with delivery to a Microsoft environment. By every authentication measure, the email was legitimate mail from an authorized sender.

The subject line read "HHS Lawyers Shared a Document... Review and Sign" with a date stamp. The impersonation was straightforward: a law firm sharing documents for review and signature is a routine business workflow. The recipient had no prior communication history with this sender, making it a first-time contact flagged as high-risk, but the authentication results would satisfy most gateway policies.

No attachments accompanied the email. The entire payload was the link.

Two Links, Same Destination, Both Clean

The email contained exactly two clickable elements, and both resolved to access[.]genesiscleaningusa[.]com. The domain was registered through Wild West Domains and resolved to 67[.]225[.]161[.]150. Neither link triggered a scanner alert.

The tooltip-href mismatch is the critical evasion technique here. When a recipient hovers over a button to verify the destination (a security practice that most awareness training emphasizes), they see the Coupa supplier portal URL. That visual check passes. The actual navigation target is entirely different, but the tooltip creates a false sense of verification.

This technique exploits the gap between what the HTML title attribute displays and where the href attribute navigates. Most secure email gateway products evaluate the href destination for reputation and content analysis. Fewer inspect the tooltip text for mismatches against the href. The tooltip is treated as display content, not a security signal, even though it directly influences whether the recipient decides to click.

The Coupa branding was chosen deliberately. Coupa is a major enterprise procurement platform, and supplier.coupahost.com is the real subdomain where suppliers manage invoices and purchase orders. Anyone working in accounts payable or procurement would recognize it immediately. The attacker bet that the familiarity of the tooltip URL would override any hesitation about the sender being an unfamiliar law firm.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping