They Sent a Voicemail to an IRONSCALES Inbox, Through Microsoft

It is a specific kind of bold to impersonate a company and send the phishing email to one of that company's own employees. Bolder still to route the payload through Microsoft infrastructure so the link looks clean on every reputation check. That is what happened on May 29, 2026, when an IRONSCALES employee received a voicemail-notification email that displayed the sender name "Ironscales Voicemail" and contained a single button labeled "Listen to Voicemail."

The actual sending address: baraa@loul-fze[.]com.

The Anatomy of a Name-Brand Impersonation

The display name trick is as old as phishing itself, but the execution here showed operational care. The attacker set the From field to baraa@loul-fze[.]com while labeling the sender "Ironscales Voicemail" in the display name. The Reply-To was pointed directly at support@ironscales.com, the genuine IRONSCALES support address. At a glance, the email reads as internal. The voicemail subject line creates mild urgency. The Reply-To lends the contact information apparent authenticity. For a recipient scanning a crowded inbox, the composite reads: a missed voicemail from your company's communication system.

The sending domain loul-fze[.]com was registered via GoDaddy on April 7, 2023, MX configured through Outlook, and it carries an SPF record. But it has no DKIM and no DMARC policy. On the first hop, when the email originated from 192[.]177[.]111[.]33, a QuadraNet-hosted IP, it produced SPF=FAIL against loul-fze[.]com's own record. Later Microsoft relay hops resolved that to a bestguesspass based on the re-transmission path, which is exactly the kind of authentication ambiguity that SEGs resolve in the sender's favor when every other signal looks clean.

This is phishing operating at the logic layer of email authentication: not faking a trusted sender's domain, but wearing a trusted display name over an unvetted domain, then letting Microsoft's relay infrastructure launder the authentication verdict upstream.

The Payload That Lived in Azure

The CTA button, "Listen to Voicemail," pointed to hxxps://public-eur[.]mkt[.]dynamics[.]com/api/orgs/92b90b2c-3d59-f111-b7ac-000d3ab5d46f/r/aGfTGL5a2EuWOpgKKpMCAAMAAAA.

That URL belongs to Microsoft Dynamics 365 Marketing, an Azure-backed marketing platform that uses public-eur.mkt.dynamics.com as its link-tracking and redirect infrastructure. The URL returned HTTP 200 and presented a CAPTCHA verification gate. Reputation engines that evaluate destination URLs see a Microsoft domain with a valid certificate. They have no basis to flag it. The CAPTCHA gate adds a further layer: automated sandboxes cannot click through it, so even tools that fetch the destination URL fail to observe the actual phishing page behind it.

The Microsoft Digital Defense Report 2024 documents the pattern explicitly, attackers routing attacks through legitimate Microsoft services to inherit their reputation. public-eur.mkt.dynamics.com has appeared in multiple 2026 phishing campaigns as a redirect and link-tracking endpoint for this exact reason. The attackers did not compromise Dynamics. They used it as designed, to host and track link clicks, then redirected the click to a credential-capture page behind a human-verification gate.

MITRE ATT&CK T1102 (web service abuse) covers this precisely. T1566.002 maps the spear phishing link delivery. T1656 covers the IRONSCALES brand impersonation.

See Your Risk: Calculate how many threats your SEG is missing

The Calendar Invite: A Second Nudge

Attached to the email was an invite.ics calendar file. The organizer was set to voicemessage@ironscales.com, a spoofed address. The summary read "Urgent Meeting: Ironscales." The location: Microsoft Teams. The method: REQUEST, which means it would pop into the calendar as an invitation requiring a response.

The calendar file contained no payload. Its function was social, a follow-up lure designed to create a second touch point if the recipient dismissed the voicemail email. Decline the voicemail notification, and your calendar still shows an urgent Teams meeting from "Ironscales." The attacker built in redundancy.

The body of the email itself showed signs of template stitching: a law-firm confidentiality paragraph at the bottom, and what appeared to be a forwarded thread in French and German, both unrelated to a voicemail notification. This kind of structural incoherence is a hallmark of reused phishing infrastructure assembled from multiple templates.

The Verizon DBIR 2026 and the Platform-Abuse Problem

The Verizon DBIR 2026 reports that 62% of breaches involve the human element and that phishing accounts for 16% of initial access events. But those aggregates do not capture how the attack surface has changed. When an attacker can route a phishing payload through Microsoft Dynamics and present a Microsoft-hosted URL as the destination, the traditional model of "check the link's reputation" breaks down structurally.

The FBI IC3 2024 Annual Report ties this to real financial harm: credential theft from corporate environments is the primary enabler of business email compromise, which drove $2.77 billion in reported losses in 2024 alone. Impersonation attacks targeting VIP recipients, as Themis flagged here based on the recipient's role as VP of Finance, consistently show up in the highest-severity incident clusters.

How Detection Landed

The email was quarantined within three minutes. Not because the URL was known-bad. Not because authentication failed on the final hop. Because the IRONSCALES adaptive AI evaluated the combination of signals that no individual check would have caught: a brand impersonation display name over a mismatched sending domain, an absent DKIM signature, a Reply-To redirect to the real support address, a first-contact sender, and a Dynamics-hosted payload with a CAPTCHA gate that suggested deliberate sandbox evasion.

Themis classified the recipient as a VIP, noted the phishing content signals from email structure analysis, and flagged the case for review. The IRONSCALES AI platform applies behavioral modeling that treats the composite of sender novelty, authentication gaps, and brand-context mismatch as a meaningful risk signal, independent of whether any single element would fail a reputation check.

The CISA guidance at https://www.cisa.gov/secure-our-world/recognize-and-report-phishing advises verifying unexpected communications through known-good contact channels. For a voicemail notification from "your own company," that verification step is the only layer that stands between a convincing lure and a compromised credential.

Defanged IOC Table

---

There is something clarifying about receiving a phishing attack that wears your own company's name. Every defender runs tabletop exercises imagining how an attacker might target their organization. This one skipped the imagination step. The lure was IRONSCALES. The target was an IRONSCALES employee. The payload traveled through Microsoft. The IBM Cost of a Data Breach 2024 puts mean time to identify a breach at 194 days. Detection in three minutes is what the gap between those numbers looks like in practice.