The Name You Trust, the Domain You've Never Seen: A Photo Lure That Passed Every Auth Check

TL;DR An attacker sent a curiosity-driven phishing email that displayed the name of a trusted colleague while actually originating from an unrelated external domain, noreply@unrelated-domain[.]es. The message authenticated cleanly through SPF, DKIM, and DMARC, yet it carried one unfamiliar link pointing to a domain registered that same morning behind WHOIS privacy. The lure was simple: a short personal note offering two photos. Authentication passed, but the display-name mismatch and the brand-new throwaway domain gave it away, and the platform quarantined the message automatically before anyone clicked the link.
Severity: Medium Impersonation Phishing Credential Theft MITRE: T1566.002 MITRE: T1656

It arrived mid-morning on a Wednesday, and there was nothing alarming about it.

A category buyer at a manufacturing company glanced at his inbox and saw a name he recognized. The subject line read like the continuation of a conversation he half-remembered: a reply about 2026 plans, a reunion, a gathering. The friendly name on the message belonged to someone he knew. The tone was warm and unhurried. Nothing in that first glance asked him to send money, reset a password, or open an invoice.

That is exactly what made it dangerous.

A familiar name, a friendly note

The body was short and personal, the kind of thing a real colleague might dash off between meetings. It downplayed any urgency on purpose. There was no demand, no deadline, no flashing red banner of its own. Just a casual line about not meaning to stir up any memories, followed by an offer to share a couple of photos, and a single link.

Two photos. That was the entire hook.

Curiosity is a quieter lever than fear, and attackers have learned it works just as well. A message that says "your account is suspended" puts a reader on guard. A message that says "just wanted to show you these" invites a reflex click before the analytical part of the brain ever engages.

Underneath that note sat a single unfamiliar link. No filename, no preview, no context about what the photos actually were. Just a raw web address pointing somewhere the recipient had never been.

The mismatch hiding in plain sight

Here is the part most inboxes never surface clearly.

The friendly name said one thing. The actual sending address said another. The display name matched a trusted internal contact, but the message had been sent from noreply@unrelated-domain[.]es, an unrelated external domain with no connection to the colleague it claimed to be.

This is display-name impersonation, mapped in the MITRE ATT&CK framework as spearphishing via service and impersonation. It exploits a design choice baked into nearly every mail client: the friendly name gets the spotlight, and the real address gets tucked away behind a tap or a hover. On a phone, many people never see the address at all. The attacker does not need to forge the trusted person's mailbox. He only needs to borrow their name.

And the technical checks that are supposed to catch spoofing? They all passed.

SPF, the record that lists which servers may send for a domain, returned a pass. DKIM, the cryptographic signature that proves a message was not altered in transit, verified cleanly. DMARC, the policy layer that ties the two together, came back as a pass as well. The composite authentication verdict was pass. By every protocol designed to confirm a sender is who they claim, this email checked out.

That is the trap worth sitting with. Authentication confirms that a message genuinely came from the domain it names. It says nothing about whether that domain belongs to the person whose name is on the envelope, and nothing about whether the content is safe. The sending domain here was a legitimately authenticated third party. The deception lived one layer up, in the human-readable name, exactly where the protocols do not look.

Behind the curtain: a domain born that morning

The link was the second tell, and arguably the louder one.

A WHOIS lookup on the destination domain, eszdgwbtsr[.]com, returned a creation date of June 17, 2026. The email landed in the inbox on June 17, 2026. The domain was hours old. It was registered through a budget registrar, shielded behind a privacy service so the registrant's identity was withheld, and its specific subdomain, sxzqw[.]eszdgwbtsr[.]com, did not even resolve when probed.

Random-looking hostname. Same-day registration. Privacy-protected ownership. No DNS history. No reputation. This is the textbook signature of disposable infrastructure: a domain spun up for one campaign and abandoned before reputation systems can catalog it. A brand-new domain has nothing for a traditional filter to score against.

Defanged indicators from the case:

TypeIndicatorContext
Sending addressnoreply@unrelated-domain[.]esExternal domain whose display name was set to a trusted internal contact
Sending domainunrelated-domain[.]esAuthenticated third-party domain (SPF, DKIM, DMARC pass)
Malicious linkhxxps://sxzqw[.]eszdgwbtsr[.]com/Single "photo" curiosity lure; subdomain returned NXDOMAIN
Throwaway domaineszdgwbtsr[.]comCreated June 17, 2026, same day as delivery; WHOIS privacy enabled

The economics favor the attacker. Verizon's 2026 Data Breach Investigations Report attributes 62% of breaches to the human element, with phishing involved in 16% of initial access. A message built to read as a friendly note from a known name lands squarely on that human element, and a fresh domain keeps the click destination invisible to reputation-based defenses. The FBI's 2024 Internet Crime Report ranks phishing and impersonation among the most reported fraud categories, and Microsoft's 2024 Digital Defense Report documents identity-based deception outpacing malware-based attacks.

The moment it was caught

Authentication passed, so a control that stops at SPF and DKIM would have waved this through. What flagged it was the contradiction those protocols cannot see.

The platform scored the message at a spam confidence level of 5 and routed it to junk. The Adaptive AI engine compared the displayed name against the organization's known contacts and surfaced the conflict directly: the name belonged to a real internal person, but the message originated from an unrelated external domain. Themis, the agentic AI SOC analyst, reached an 82% confidence verdict of phishing, drawing on the language patterns in the body, community reputation signals from similar reported incidents, and the sender mismatch itself. The case was resolved as phishing automatically, before the recipient acted on it. A second employee at the same company received a variant of the lure shortly after, and it was mitigated the same way.

The detection did not hinge on a blocklist or a known-bad signature. There was no signature to find. It hinged on behavior and context: a name that did not match its address, a domain with no past, a vague offer with a single link. That is the layer where this class of phishing actually lives, and it is the layer business email compromise protection is built to watch.

See Your Risk: Calculate how many threats your SEG is missing

What this attack teaches

Read the address, not the name. The friendly name is the most forgeable element of any email, and it is the one your client shows you first. When a familiar name sends something even slightly out of character, expand the header and look at the real address before you do anything else.

Treat curiosity lures with the same caution as urgent ones. "Here are some photos" and "your account is locked" are the same play wearing different costumes. Both want a click before you think.

Weigh domain age as a signal. A link to a domain registered the same day it reached you is not a coincidence worth giving the benefit of the doubt.

And recognize that authentication is a floor, not a ceiling. SPF, DKIM, and DMARC tell you a message is technically legitimate. They do not tell you it is honest. Closing that gap takes detection that reasons about identity and context, reinforced by people trained to pause on the small mismatches, which is why ongoing security awareness training remains one of the highest-leverage controls a team can run.

The name you trust is the easiest thing in the world to borrow. The domain you have never seen is the thing worth checking.

See you next time.

Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.

Related attacks

Attack What happened
The GitLab Alert That Passed Every Filter (Except One Detail Nobody Checked)A GitLab sign-in alert cleared Proofpoint URL Defense and passed SPF/DMARC — then listed a private RFC1918 IP as the sign-in source.
The Phishing Simulation Platform That Powered a Real AttackA salary adjustment lure routed through SendGrid and a Carrd landing page used phishing kit images hosted on a commercial phishing simulation vendor's own...
Microsoft Bookings as a Weapon: When DMARC Says Trust Me and ARC Quietly DisagreesA phishing email sent from bookings.microsoft.com passed every authentication check.
The Timestamp That Gave It Away: Oracle Identity Cloud Phishing Targets K-12 with a Stale TimezoneA phishing email impersonating Oracle Identity Cloud targeted a Florida school district employee.
Fake Bounce Notice With Obfuscated 'Keep My Password' Link Routes Victims to a Webmail Credential-Harvesting PageAttackers spoofed a mailer-daemon bounce notification with zero email authentication, hiding a credential-harvesting link behind obfuscated display text.

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.