The display name read "Vantage via D0cuSign." The zero replacing the letter O in DocuSign was the quietest part of this attack, and in some ways the least important. Behind that single homoglyph sat four unrelated domains, a Mailchimp redirect, an ICS calendar file, and a CDR relay that overrode every authentication failure to deliver the message clean.
The from address belonged to a food supply company: account@yshfoodsupply[.]com. The return-path pointed to an Estonian business domain: postmaster@hansabusad[.]com. The reply-to went to the real bank being impersonated: support@vantage[.]bank. A fourth domain, candybreak[.]net, appeared in the X-Relaying-Domain header.
SPF returned none. DKIM returned none. DMARC returned none. CompAuth returned none with reason=405. By every authentication standard, this message should have been rejected or quarantined. Instead, it was delivered with SCL=-1.
The reason: the message transited a Votiro CDR relay at 44[.]206[.]213[.]130. That relay was on the recipient organization's allow-list. When a message passes through an allow-listed relay, the gateway trusts the relay's judgment and suppresses its own authentication verdict. The allow-list converted total authentication failure into unconditional delivery.
The email carried two attachments. The first was invite.ics, a 580-byte calendar file designed to plant a persistent event on the recipient's calendar. Even if the recipient deletes the email, the calendar entry can survive with attacker-controlled content, links, and reminder notifications.
The second was document.png, a 339KB file served with a JPEG content type despite the PNG extension. This MIME type mismatch is a minor evasion technique: some attachment scanners make filtering decisions based on the declared content type rather than the actual file signature.
The primary CTA, labeled "Review Document," routed through us[.]list-manage[.]com, a Mailchimp redirect domain. The email also contained blocks referencing multiple financial brands and a survey platform, creating multi-brand confusion that makes it harder for recipients to determine which organization actually sent the message.
See Your Risk: Calculate how many threats your SEG is missing
Themis scored the message at 66% confidence and flagged the recipient as a VIP. One mailbox was quarantined. The X-Mailer header claimed iPhone Mail (18E212), suggesting a casual mobile send, but the relay chain and multi-domain infrastructure contradicted that claim entirely.
The detection surface here was not authentication (which returned nothing useful) but structural. Detecting phishing like this requires looking at four mismatched domains, a homoglyph in the display name, a CTA routing through a marketing platform, and a calendar file bundled with an image attachment. Each element in isolation might be explainable. Together, they form a pattern that behavioral analysis can act on even when authentication cannot.
Audit CDR relay allow-lists and evaluate whether messages transiting those relays should inherit blanket trust or still undergo authentication checks. Three or more unrelated domains in From, Return-Path, and Reply-To fields is a high-confidence indicator regardless of the SCL score. Inspect display names character by character. A zero in "D0cuSign" is invisible at reading speed.
| Type | Indicator | Context |
|---|---|---|
| From Address | account@yshfoodsupply[.]com | Food supply company domain (sender) |
| Return-Path | postmaster@hansabusad[.]com | Estonian business domain (bounce handling) |
| Reply-To | support@vantage[.]bank | Real bank being impersonated |
| Relaying Domain | candybreak[.]net | X-Relaying-Domain header |
| CDR Relay IP | 44[.]206[.]213[.]130 | Votiro CDR relay (allow-listed) |
| Gmail Relay IP | 209[.]85[.]218[.]98 | Gmail infrastructure in relay chain |
| CTA Domain | us[.]list-manage[.]com | Mailchimp redirect for "Review Document" |
| Attachment | invite.ics (580 bytes) | Calendar invite file |
| Attachment | document.png (339KB, image/jpeg) | MIME type mismatch (JPEG served as PNG) |
| Display Name | Vantage via D0cuSign | Zero-for-O homoglyph in DocuSign |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Attachment | T1566.001 | ICS calendar invite and image attachment as payload components |
| Phishing: Spearphishing Link | T1566.002 | Mailchimp redirect CTA to credential harvesting |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Homoglyph substitution in DocuSign display name |
| User Execution: Malicious Link | T1204.001 | "Review Document" CTA requiring recipient click-through |
| Attack | What happened |
|---|---|
| The Subdomain That Fused Two Trusted Brands Into One Convincing Lie | Attackers fused two real brand names into a single subdomain, routed the message through Zix infrastructure to inherit enterprise authentication. |
| When 'Release from Quarantine' Is the Attack | A fake quarantine digest weaponized email security workflows, embedding JWT tokens in 'Allow' and 'Manage' buttons while masking one link's true... |
| The Law Firm Document That Linked to a Cleaning Company | A fully authenticated email from a UAE law firm domain delivered a document-signing lure where the CTA button linked to a US cleaning company's subdomain. |
| The Email That Passed Every Security Check (Because Adobe Sent It) | A phishing campaign targeting school district staff used Adobe's own sending infrastructure, real DKIM signatures. |
| When the Sender Domain Is Also the Phishing Kit Host: Dual-Purpose Domain Compromise | An attacker compromised a legitimate manufacturing company domain and used it two ways at once: as the authenticated sending address and as the host for... |