The email looked like a routine internal notification: a shared document in Microsoft Teams from someone in Accounts Payable. The file was named June_Payment_Plan.pdf. The button said "Open in Teams." The display name on the From field matched an Accounts Payable identity that would be familiar to anyone on the finance team.
None of it was real.
The actual sender was s.akpoyibo@astevenltd[.]com, a domain with WHOIS privacy enabled and no affiliation with the impersonated organization. The "Open in Teams" button resolved to account.astevenltd[.]com, not to microsoft.com or teams.microsoft.com. The recipient was the Chief Financial Officer at the targeted organization. And the URL's client_id parameter contained a base64-encoded string that decoded directly to the CFO's username, confirming the attacker had personalized this lure at the per-recipient level.
The detection system flagged it as phishing. The email was mitigated before it was clicked.
Display name spoofing works because most email clients prominently display the sender's friendly name and de-emphasize or hide the actual email address. A recipient who sees "Accounts Payable" in the From field has already processed the most visible trust signal before they read the subject or body. The actual address (s.akpoyibo@astevenltd[.]com) only becomes visible if the recipient expands the From field or views message headers, which most users do not do for routine-appearing notifications.
The authentication situation made this harder to catch at the infrastructure layer. SPF passed (sending IP 149.72.120.130 authorized for astevenltd[.]com), DKIM passed (header.d=astevenltd[.]com, signed through SendGrid's outbound mail infrastructure), and DMARC passed (header.from=astevenltd[.]com, policy p=quarantine). The composite authentication result was compauth=pass with reason=100. From a relay-analysis standpoint, this was a properly authenticated email sent by a legitimate domain through a legitimate ESP.
What authentication cannot tell you is that the display name is a lie. DMARC aligns the From: domain with the signing and SPF domains, and astevenltd[.]com aligned perfectly with itself. It did not align with, or make any claim about, the impersonated Accounts Payable identity.
MITRE ATT&CK T1656 (impersonation) covers the display-name false identity. T1566.001 (spearphishing link) covers the delivery mechanism with the targeted CTA.
See Your Risk: Calculate how many threats your SEG is missing
The email body replicated Microsoft Teams' document-share notification format precisely: a header announcing that the impersonated Accounts Payable identity had shared a file "in Teams with you + 3 others," a file-icon representation of June_Payment_Plan.pdf, and a single "Open in Teams" CTA. The design leveraged familiarity: recipients who use Teams daily have seen hundreds of legitimate versions of this notification. The visual pattern triggers a habitual action (click to open the document) without prompting the scrutiny that an unusual or unexpected message format would generate.
The filename itself was chosen for the specific recipient. A document named June_Payment_Plan.pdf sent to a CFO in the context of an Accounts Payable notification has built-in urgency. It is the kind of file a CFO would be expected to review without delay. This pattern, a finance-themed document delivered through a plausible internal workflow, is the hallmark of invoice fraud attacks that target approval-authority personnel rather than front-line employees.
This is business email compromise at the targeting layer: no wire-transfer request, no urgency text, no obvious social engineering in the body copy. Just a plausible file in a familiar format sent to the person with the authority to act on it.
The "Open in Teams" button pointed to hxxps://account.astevenltd[.]com/management?client_id=Z3RydWxvY2s&nonce=... The domain account.astevenltd[.]com is attacker-owned. It is not Microsoft Teams, Microsoft 365, or any Microsoft property. The client_id value Z3RydWxvY2s is standard base64 encoding: it decodes to "gtrulock," which is the username portion of the CFO's corporate email address.
A tracking redirect at hxxp://click.astevenltd[.]com used the SendGrid /ls/click tracking pattern: astevenltd[.]com configured SendGrid with a custom-domain CNAME for click tracking, a standard practice for bulk senders. The unsubscribe link also routed through click.astevenltd[.]com/wf/unsubscribe. These infrastructure choices gave the email the operational appearance of a legitimate marketing or transactional send while routing all recipient interaction through attacker-controlled endpoints.
The WHOIS record for astevenltd[.]com showed a same-day update at the time of the incident, consistent with a domain prepared specifically for this campaign. The sender domain did not appear in prior organizational correspondence history.
MITRE ATT&CK T1598 (phishing for information) covers the credential-harvest intent behind the landing page. IRONSCALES detected the behavioral cluster: display-name mismatch between the claimed sender identity and the actual domain, CTA links resolving to non-Microsoft infrastructure, per-recipient username encoding in the landing URL, and WHOIS indicators on the sending domain.
| Type | Indicator | Context |
|---|---|---|
| Sender address | s.akpoyibo[@]astevenltd[.]com | Display name "Accounts Payable" impersonation; SendGrid delivery |
| Landing domain | account.astevenltd[.]com | "Open in Teams" CTA destination; not a Microsoft domain |
| Tracking domain | click.astevenltd[.]com | SendGrid-backed click tracker; unsubscribe and CTA tracking |
| Encoded victim ID | client_id=Z3RydWxvY2s | Base64 decodes to victim username; per-recipient personalization |
| Return-Path | bounces+59342934-16e9-gtrulock=ironscales[.]com[@]relay.astevenltd[.]com | VERP-encoded victim address in bounce path |
| Sending IP | 149[.]72[.]120[.]130 | SendGrid outbound; s.wrqvtvvn.outbound-mail.sendgrid.net |
| Lure filename | June_Payment_Plan.pdf | Finance-themed document bait; no actual attachment |
| Attack | What happened |
|---|---|
| SPF PermError Turned a Malformed Domain into an Invoice Fraud Launchpad | An attacker exploited a malformed SPF record that returned PermError instead of pass or fail, paired with a same-day-registered Reply-To domain. |
| The Security Tool That Delivered the $48,500 Invoice Fraud | A $48,500 invoice fraud routed through a Votiro email sanitization relay, which paradoxically introduced an SPF softfail. |
| Lookalike Domain With Full Authentication Sends a Zero-Payload Trust-Building Email | An attacker registered a lookalike domain one word apart from a known vendor's real domain, configured full DKIM and DMARC authentication. |
| Three Domains, One Invoice: The Payment Diversion That Authenticated Itself Through the Wrong Organization | A past due invoice email passed SPF, DKIM, and DMARC while impersonating a contact at a clinical research firm. |
| The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion | A Gmail-authenticated BEC used a typosquat Reply-To domain and a hidden HTML mailto mismatch to impersonate a steel distributor's credit manager. |