The email looked like a routine Datadog monitor alert. The subject referenced an OES Outbound MTA low delivery rate. The body contained a company ID, event ID, monitor ID, and on-call mentions for Teams and PagerDuty. Every link resolved to app.datadoghq[.]com. There were no attachments, no credential forms, no payment requests.
The sender address was alert@dtdg[.]co. Not datadoghq[.]com.
The sending domain dtdg[.]co passed every authentication check. SPF passed via em6080.dtdg[.]co. DKIM passed with selector s1 on d=dtdg[.]co. DMARC passed. The mail was routed through SendGrid infrastructure at o3.ptr4288.o3.sendgrid.dtdg[.]co from IP 149.72.169[.]25.
A WHOIS lookup on dtdg[.]co returned no public registration data. No registrant name, no organization, no creation date visible in public records. There is no verifiable way to confirm whether this domain belongs to Datadog or to someone impersonating them. The abbreviation is plausible enough that most recipients would not question it.
This is the core problem with authenticated lookalike domains. DMARC confirms that the sending infrastructure is configured correctly for the domain in question. It does not confirm that the domain belongs to the brand it appears to represent.
Every action link in the email resolved to app.datadoghq[.]com, the legitimate Datadog application. Login pages, monitor views, event detail pages, and profile paths all scanned clean. URL reputation engines returned safe verdicts across the board.
An email with fully authenticated headers and exclusively legitimate links produces zero signals for any security gateway that relies on URL scanning, domain reputation, or authentication results. The message is technically indistinguishable from a real vendor notification.
The message contained an open-tracking pixel, a standard component in marketing emails but also a confirmation mechanism. When the recipient opens the email, the pixel fires and validates three things: the mailbox is active, the recipient reads vendor notifications, and the email address bypasses spam filters.
That intelligence has value. The attacker now knows this recipient will open and engage with messages from dtdg[.]co. The next email from the same domain could contain 14 legitimate links and one that redirects through an attacker-controlled intermediate to a credential harvesting page. The recipient has already been trained to trust the sender.
Themis, the Adaptive AI engine from IRONSCALES, evaluated the sender-recipient relationship, the domain's lack of verifiable ownership, and the behavioral pattern of the message. The combination of a first-time sender using a domain that closely mirrors a known vendor, with no prior communication history in the organization, triggered quarantine before the tracking pixel could confirm engagement.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sending Domain | dtdg[.]co | Lookalike domain, fully authenticated, no public WHOIS data |
| Sender Address | alert@dtdg[.]co | Display name "Datadog Alerting" |
| Sending IP | 149.72.169[.]25 | SendGrid infrastructure |
| SendGrid Subdomain | o3.ptr4288.o3.sendgrid.dtdg[.]co | Authenticated sending relay |
| SPF Domain | em6080.dtdg[.]co | SPF pass |
| DKIM Selector | s1 (d=dtdg[.]co) | DKIM pass |
| All Links | app.datadoghq[.]com | Legitimate Datadog application, all scanned clean |
| Tracking | Open-tracking pixel | Mailbox validation and engagement confirmation |
| Technique | ID | Relevance |
|---|---|---|
| Acquire Infrastructure: Domains | T1583.001 | Lookalike domain registered with full authentication infrastructure |
| Phishing: Spearphishing Link | T1566.002 | Email contains links designed to build trust for future payload delivery |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Domain and display name match Datadog branding and notification structure |