The email said "LEGAL Department (vantagebank[.]com)" shared an "AgingReport" on Dropbox. The From address was legal@smleather[.]com. The link went to neither domain. And the inline security tool that was supposed to protect the recipient destroyed the only authentication signal that would have caught it.
This credential harvesting campaign exploited a gap that most security stacks never account for: what happens when your own Content Disarm and Reconstruction (CDR) tool breaks email authentication in transit.
At the Amazon SES sending hop (IP 54[.]240[.]48[.]119), the message had clean authentication. SPF passed for smleather[.]com. DKIM passed with a valid signature tied to the same domain. DMARC passed.
Then the message hit the Votiro CDR relay at votiro-relay1[.]prod[.]votiro[.]com (IP 44[.]206[.]213[.]130). Votiro sanitized the content, modifying the message body in transit. That modification invalidated the DKIM signature. With DKIM broken, DMARC re-evaluated and failed, returning an action=oreject disposition. SPF also failed at the next hop because the Votiro relay IP was not authorized for the original sender domain.
The CDR tool did its job on the content. In the process, it stripped the authentication markers that downstream filters use to make trust decisions.
The "View on Dropbox" CTA did not link to Dropbox. It routed through awstrack[.]me, Amazon's legitimate SES click-tracking service, before landing on dropbox[.]traunitz[.]com. That is a classic brand subdomain impersonation pattern: placing "dropbox" as a subdomain on an attacker-controlled domain, fronted by Cloudflare.
At scan time, the landing page returned a 404. This is consistent with time-gated credential harvesting pages that activate only for targeted recipients, then disappear.
With authentication destroyed by the CDR relay, the only remaining detection surface was behavioral. The sender domain (smleather[.]com) had no relationship to the claimed brand (Dropbox) or the referenced organization (vantagebank[.]com). The sender was contacting the recipient for the first time.
Adaptive AI identified the sender-content mismatch and first-time sender signal, flagging the message despite the ambiguous authentication results.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender Email | legal@smleather[.]com | Sender address, Amazon SES origin |
| Sending IP | 54[.]240[.]48[.]119 | Amazon SES infrastructure |
| CDR Relay | votiro-relay1[.]prod[.]votiro[.]com | Votiro CDR that broke authentication |
| CDR Relay IP | 44[.]206[.]213[.]130 | Votiro relay IP |
| Redirect | awstrack[.]me | Amazon SES click-tracking redirect |
| Credential Harvest | dropbox[.]traunitz[.]com | Brand subdomain, Cloudflare-fronted |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Delivery via embedded redirect chain |
| Masquerading | T1036.005 | Dropbox brand impersonation |
| Acquire Infrastructure: Domains | T1583.001 | Brand subdomain registration |