A Medicare Attestation Request Sent Through Salesforce, Authenticated by the Victim's Own Domain

TL;DR Attackers leveraged a compromised or malicious Salesforce CRM organization to deliver a credential harvesting email disguised as a Medicare Transaction Facilitator attestation request. The message passed SPF, DKIM, and DMARC with compauth=pass (reason=100) because Salesforce was an authorized sender for the domain. The From and To addresses were both aryan@a-private-company[.]example, suggesting the attacker had organizational access and was targeting internal users. The CTA linked to nexaroco[.]com, which served an Office 365 credential harvesting page. Themis flagged the incident at 50% confidence, and the IRONSCALES community provided additional phishing signal.
Severity: High Credential Harvesting Vendor Email Compromise MITRE: {'id': 'T1566.002', 'name': 'Phishing: Spearphishing Link'} MITRE: {'id': 'T1078.004', 'name': 'Valid Accounts: Cloud Accounts'} MITRE: {'id': 'T1656', 'name': 'Impersonation'}

The subject line referenced a "Medicare Transaction Facilitator (MTF) Independent Provider Attestation." The email came from a Salesforce CRM organization, passed every authentication check, and linked to what appeared to be a document signing page. The landing page was an Office 365 credential harvesting form hosted on an unrelated domain.

In June 2026, IRONSCALES flagged this attack targeting an employee at a healthcare outcomes management company. The phishing email exploited two things simultaneously: the authority of healthcare regulatory compliance language and the trust that Salesforce infrastructure carries through email authentication.

Salesforce as the Delivery Vehicle

The message was sent through Salesforce Email-as-a-Service infrastructure (smtp-053a43a2c9ecc9b54.core1.sfdc-8tgtt5.mta.salesforce.com, IP 18[.]117[.]31[.]220). X-SFDC headers confirmed an active Salesforce organization with EmailCategory=quickActionEmail, meaning the attacker triggered the send from within the CRM interface itself. SPF passed. DKIM passed (d=a-private-company[.]example). DMARC passed. Composite authentication returned compauth=pass with reason code 100.

The From and To addresses were identical: aryan@a-private-company[.]example. This self-send pattern indicates the attacker had access to the Salesforce org associated with the target's domain and was routing messages internally. It also sidesteps any external sender banners that Microsoft 365 might display.

The Fabricated Thread and the Real Landing Page

The In-Reply-To header referenced a Message-ID from DS0PR11MB7382, a different mailbox server than the actual sender. This is a fabricated thread reference, designed to make the email appear as a continuation of an existing conversation. Recipients who see "RE:" in a subject line are less likely to scrutinize the sender.

The call-to-action button read "Medicare Transaction Facilitator (MTF) Independent Provider Attestation" and linked to nexaroco[.]com/providerrelations/. A screenshot of the landing page revealed a standard Office 365 credential harvesting form, not the Adobe or DocuSign signing page that the Medicare attestation pretext implied. That mismatch between the stated document platform and the actual landing page is a signal that automated URL scanners may miss when the harvesting domain is new and has no reputation data.

Detection

Themis, the IRONSCALES Adaptive AI, flagged the message at 50% confidence. The IRONSCALES community added additional signal, confirming phishing classification. One mailbox was quarantined.

The confidence score is notable. At 50%, this was not a high-conviction detection. The full authentication pass, the legitimate Salesforce infrastructure, and the healthcare compliance pretext all worked to suppress automated risk scoring. What tipped the balance was behavioral context: the self-send anomaly, the first-time CRM message pattern, and the mismatch between the attestation pretext and the landing page destination.

Healthcare organizations processing Medicare compliance documents should treat CRM-originated attestation requests with the same scrutiny as external wire transfer instructions. When the signing page does not match the stated platform, the compliance request is the attack.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

TypeIndicatorContext
Sender/Target Emailaryan@a-private-company[.]exampleFrom and To identical (self-send via Salesforce)
Sending IP18[.]117[.]31[.]220Salesforce EaaS infrastructure
Sending Hostnamesmtp-053a43a2c9ecc9b54.core1.sfdc-8tgtt5.mta.salesforce.comSalesforce SMTP relay
Credential Harvesting Domainnexaroco[.]comHosted Office 365 login phishing page
Credential Harvesting URLnexaroco[.]com/providerrelations/Landing page path
DKIM Selectord=a-private-company[.]exampleDKIM signing domain (Salesforce-authorized)
X-SFDC OrgTypeACTIVEConfirmed active Salesforce organization
X-SFDC EntityId500Vm00000wfFMfSalesforce case/entity reference
Fabricated Thread ReferenceDS0PR11MB7382In-Reply-To references unrelated mailbox server

MITRE ATT&CK Mapping

TechniqueIDRelevance
Phishing: Spearphishing LinkT1566.002CRM-delivered email with credential harvesting link
Valid Accounts: Cloud AccountsT1078.004Attacker access to Salesforce org for the target domain
ImpersonationT1656Medicare compliance pretext impersonating internal sender
Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.

Related attacks

Attack What happened
The Password Reset That Came From an Auth0 Dev TenantA password reset email from a manufacturing company passed every authentication check and linked to real Auth0 infrastructure.
The Phishing Link Lived on a Domain That Didn't Exist Nine Hours EarlierA compromised university student account sent a phishing email that passed SPF, DKIM, and DMARC.
The U.S. Bank Email That Came From a Lawyer Directory and Passed Every Authentication CheckA fully authenticated email from lawyerlegion[.]com displayed pixel-perfect U.S.
The SOC Alert That Came From a Compromised FinTech: An Authenticated BlueVine Sender Delivering a Typosquat Link Buried in Operational ContextA fully authenticated email from bluevine.com impersonated an internal SOC quarantine notification.
The Email That Passed Every Security Check (Because Adobe Sent It)A phishing campaign targeting school district staff used Adobe's own sending infrastructure, real DKIM signatures.

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.