TL;DR Attackers spoofed the Disney+ brand inside a message sent entirely through a legitimate tax-document delivery service whose own DMARC policy enforces rejection. Every authentication header passed cleanly. The single CTA, labeled 'Continue,' routed first through the service's own redirect infrastructure, then deposited recipients on a phpList-hosted subscription page at an unrelated hosting domain with no connection to Disney or the delivery service. The mismatch between the brand shown and the domain where the CTA lands is the concrete artifact, and it was the signal that allowed IRONSCALES Adaptive AI to flag the campaign.
Severity: High Phishing Credential Harvesting Brand Impersonation MITRE: T1566.002 MITRE: T1598.003
The subject line reads: "Payment failed! Please update your billing information." The body renders a Disney+ logo and the tagline "Your Adventure Continues." The single call to action says "Continue." Nothing in the message looks wrong to a casual reader.
The sending infrastructure belongs to a legitimate tax-document delivery service that has operated since 2015. SPF passes. DKIM passes. DMARC passes under a p=reject policy. The "Continue" CTA resolves, after a redirect through that service's own click-tracking endpoint, to a phpList-hosted subscription page on a domain with no affiliation to Disney, to the delivery service, or to any payment processor.
That destination is the attack.
Why Disney+ Billing Urgency Still Works at Scale
Consumer billing lures are durable for the same reason that makes them easy to dismiss: everyone subscribes to something. Disney+ has over 120 million subscribers globally. A "payment failed" notice for a service someone uses, arriving in an otherwise unremarkable inbox, triggers a reflexive response before any skepticism can engage.
The lure contains no recipient-specific account details, no last-four card digits, no username. The urgency is generic: act now or lose access. Generic lures scale to thousands of targets without per-recipient customization. The attacker does not need to know whether the recipient subscribes to Disney+ because enough recipients at any target organization will.
Sending the campaign into a public-sector organization's mailboxes amplifies the contextual mismatch. Consumer streaming accounts are personal, not organizational, but personal email at work addresses is routine, so the incongruity rarely registers.
How Authenticated Infrastructure Becomes the Delivery Vehicle
The sending domain belongs to a legitimate tax-document delivery service registered in 2015 and operating under a p=reject DMARC policy. That policy is normally a strong trust signal: the domain owner has configured email authentication to reject anything that fails alignment. For this message, everything aligned correctly.
The From header showed noreply@[the delivery service]. The Return-Path carried a VERP-encoded bounce address at the service's em1285 subdomain. The DKIM signature used selector s1 against the same domain. Every check an inbound gateway runs on sender legitimacy came back clean.
This is the defining characteristic of legitimate-infrastructure phishing: the attack does not attempt to forge the sending domain. It operates through it. Blocking the domain would block tax documents that recipient organizations legitimately receive. The attacker's calculation is that no gateway operator will create a blanket block on a reputable, established sender.
The From display name was set to "D+", shorthand recognizable as Disney+, while the actual sending domain had no Disney affiliation. Display names appear prominently in mobile clients and notification previews; the domain stays out of frame.
The CTA Chain: From Trusted Redirect to Off-Brand Landing Page
See Your Risk: Calculate how many threats your SEG is missing
The "Continue" button linked to a click-tracking URL on the delivery service's own redirect subdomain. Automated link scanners assessed this link as clean: it belongs to a known, reputable service. The redirect, however, resolves onward.
After the redirect, the recipient lands at phpdjibril.hosted.phplist[.]com/lists/?id=41&p=subscribe, a subscription page hosted on the phpList platform under a third-party hosting account. phpList is a legitimate open-source email list management tool. The hosting account referenced in the subdomain has no documented connection to Disney, to the delivery service, or to any subscription management flow a streaming company would operate.
A legitimate Disney+ billing recovery flow routes to Disney-owned or authorized payment processor infrastructure. No part of that expected path includes a phpList subscription endpoint at a third-party hosted account. The brand the recipient sees in the body and the domain the recipient lands on are entirely disconnected. That disconnection is the attacker's footprint, and it is the kind of signal that perimeter defenses oriented around sender reputation are not built to detect.
IRONSCALES Adaptive AI flagged the campaign at 59% confidence, driven by the brand-to-destination mismatch and the behavioral profile of the send: a first-time sender to the recipient organization, generic non-personalized content paired with billing urgency, and a CTA chain that does not terminate on any domain associated with the impersonated brand.
Why Perimeter Defenses Missed the Signal
Gateway filters evaluate messages against known-bad domains, authentication failures, and reputation databases. This message produced none of those signals. The sending domain is established. The first CTA hop belongs to that same reputable domain. Neither would appear in any threat-intelligence blocklist built from attacker infrastructure.
The credential harvesting risk lies in the downstream handling. A phpList subscription endpoint can be configured to collect anything a form requests, including credentials under the guise of "verify your Disney+ account." Whether this specific endpoint was a collection form, an intermediate redirect, or a staging artifact, the pattern is what matters: a trusted send, a trusted first hop, and then an unmonitored off-brand destination.
The MITRE ATT&CK framework classifies this as Spearphishing Link (T1566.002). The Verizon DBIR 2026 lists phishing as the leading initial access vector, with stolen credentials driving the majority of confirmed breaches. CISA warns against acting on payment-alert emails without independently verifying through the official service portal. The Microsoft Digital Defense Report 2024 notes attackers consistently prefer established-reputation infrastructure to reduce preemptive blocking risk.
Closing the Brand-to-Destination Gap
Sender authentication and the first hop in a redirect chain can both be clean while the final destination is adversarial. Defenses that stop at single-hop link scanning have no visibility into chains that begin with reputable domains.
Closing that gap requires evaluating the full CTA chain to its terminal destination and asking whether that destination is plausible for the brand in the body. IRONSCALES Adaptive AI applies this cross-layer logic: sender signals, link-chain resolution, and brand-body coherence evaluated together, not as isolated pass/fail checks.
For end users: any "payment failed" notice is worth a direct verification step. Navigate to the service's official site independently rather than following the CTA, regardless of how familiar the branding looks.
---
| Type | Indicator | Context |
|---|
| Domain | phpdjibril.hosted.phplist[.]com | phpList-hosted CTA destination; no Disney affiliation |
| URL | hxxp://phpdjibril.hosted.phplist[.]com/lists/?id=41&p=subscribe | Off-brand subscription endpoint reached after redirect |
| URL | hxxps://phpdjibril.hosted.phplist[.]com/lists/?id=41&p=subscribe | HTTPS variant of the same endpoint |
| Subdomain | ssr.safesendreturns[.]com | Legitimate click-tracking/redirect subdomain used as redirect hop |
| Sender | noreply@safesendreturns[.]com | Legitimate tax-document delivery service; sending infrastructure abused |
| Header | From: "D+" | Display name impersonates Disney+; domain is unrelated delivery service |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
