Gateway-Rewritten Links Flagged Malicious Inside a Law Firm Email With No DKIM

The message body read like a professional legal communication. It included contract language excerpts, a request to "call me later today to discuss," a corporate footer with award badges, and links to the sender's bio at what appeared to be a law firm website. There was nothing in the text that said "send money" or "change bank details." What it carried instead was a weak authentication posture and two gateway-rewritten links that independently resolved as malicious.

The sender domain, a long-established professional-services domain (name withheld), was registered more than two decades ago. WHOIS shows no red flags in its registration history. SPF passed through a Mimecast relay authorized for the domain. But DKIM was absent from the delivered headers, and the domain's DMARC policy was set to p=none. That combination provides SPF relay authorization without any cryptographic proof that the message originated from an authorized employee's mailbox, and zero enforcement action if alignment fails.

Two of the links in the message were wrapped by a link-rewriting gateway through url[.]emailprotection[.]link. Both were scored malicious.

What url.emailprotection.link Wrapping Reveals

The url[.]emailprotection[.]link proxy is a link-safety service that rewrites URLs at delivery time and inspects destinations on click. When a gateway scores a proxied link as malicious, it means the resolved destination (the URL hidden behind the proxy wrapper) matched threat-intelligence indicators.

This case produced two independent malicious verdicts on proxied links that were displayed as a website URL and an attorney bio link in the message. The underlying destinations that generated those verdicts were not recovered for this analysis. What the verdicts confirm is that at least two links in this professionally styled message pointed toward attacker-controlled infrastructure.

URL rewriting as a defense mechanism is specifically designed to surface this class of threat: destinations that appear legitimate in display text but resolve to malicious hosts. The display text here showed www.katzteller.com for one link and Bio for the other, familiar-looking references that would not raise alarm on a visual scan of the message body. The proxy inspection layer saw through the display text to the actual resolved destination.

MITRE ATT&CK T1566.001 covers spearphishing via link. T1071.003 (application-layer protocol: mail protocols) applies to BEC delivery vectors. T1656 applies to the impersonation of a professional identity throughout the message.

Authentication Gaps Enable the Delivery

DMARC p=none means the domain has acknowledged email authentication exists but has not enabled enforcement. For a domain that has operated for more than two decades, remaining at p=none is an operational oversight that leaves every inbound recipient of messages from that domain exposed to abuse with no enforcement backstop.

The absence of DKIM amplifies this exposure. SPF confirms that the Mimecast relay server was authorized to send for the domain. It does not confirm that any specific employee account originated the message, and it provides no tamper evidence for the message body or headers. Invoice fraud and business email compromise campaigns specifically target authentication-weak domains because lookalike or compromised-account delivery is easier to sustain when the destination domain's owners have not hardened their posture.

See Your Risk: Calculate how many threats your SEG is missing

The High-Risk Sender Signal

The incident records the sender as carrying a risk_level: high flag at the time of delivery. That flag surfaces from IRONSCALES behavioral signals: the combination of external sender, absent DKIM, DMARC non-enforcement, and link verdicts that diverged from their display text.

The message's professional veneer (contract language, legal sign-off tone, award imagery in the footer) is consistent with business email compromise staging. BEC campaigns frequently establish credibility through one or more professional-looking messages before making a payment or wire-transfer request. This message fits that pattern: a thread-entry posture that builds familiarity before a potential follow-on demand.

Multiple recipient mailboxes were quarantined across a several-day mitigation window, indicating the campaign delivered to more than one address in the organization. The multi-recipient pattern is consistent with an attacker who surveyed an organization's contact list and targeted several individuals likely to interact with the impersonated firm.

For organizations assessing their exposure to this attack class, the key surface areas are authentication enforcement (moving DMARC from p=none to p=quarantine or p=reject) and inbound link-inspection coverage that evaluates resolved destinations rather than relying on display text alone.

Indicators of Compromise