The message body read like a professional legal communication. It included contract language excerpts, a request to "call me later today to discuss," a corporate footer with award badges, and links to the sender's bio at what appeared to be a law firm website. There was nothing in the text that said "send money" or "change bank details." What it carried instead was a weak authentication posture and two gateway-rewritten links that independently resolved as malicious.
The sender domain, a long-established professional-services domain (name withheld), was registered more than two decades ago. WHOIS shows no red flags in its registration history. SPF passed through a Mimecast relay authorized for the domain. But DKIM was absent from the delivered headers, and the domain's DMARC policy was set to p=none. That combination provides SPF relay authorization without any cryptographic proof that the message originated from an authorized employee's mailbox, and zero enforcement action if alignment fails.
Two of the links in the message were wrapped by a link-rewriting gateway through url[.]emailprotection[.]link. Both were scored malicious.
The url[.]emailprotection[.]link proxy is a link-safety service that rewrites URLs at delivery time and inspects destinations on click. When a gateway scores a proxied link as malicious, it means the resolved destination (the URL hidden behind the proxy wrapper) matched threat-intelligence indicators.
This case produced two independent malicious verdicts on proxied links that were displayed as a website URL and an attorney bio link in the message. The underlying destinations that generated those verdicts were not recovered for this analysis. What the verdicts confirm is that at least two links in this professionally styled message pointed toward attacker-controlled infrastructure.
URL rewriting as a defense mechanism is specifically designed to surface this class of threat: destinations that appear legitimate in display text but resolve to malicious hosts. The display text here showed www.katzteller.com for one link and Bio for the other, familiar-looking references that would not raise alarm on a visual scan of the message body. The proxy inspection layer saw through the display text to the actual resolved destination.
MITRE ATT&CK T1566.001 covers spearphishing via link. T1071.003 (application-layer protocol: mail protocols) applies to BEC delivery vectors. T1656 applies to the impersonation of a professional identity throughout the message.
DMARC p=none means the domain has acknowledged email authentication exists but has not enabled enforcement. For a domain that has operated for more than two decades, remaining at p=none is an operational oversight that leaves every inbound recipient of messages from that domain exposed to abuse with no enforcement backstop.
The absence of DKIM amplifies this exposure. SPF confirms that the Mimecast relay server was authorized to send for the domain. It does not confirm that any specific employee account originated the message, and it provides no tamper evidence for the message body or headers. Invoice fraud and business email compromise campaigns specifically target authentication-weak domains because lookalike or compromised-account delivery is easier to sustain when the destination domain's owners have not hardened their posture.
See Your Risk: Calculate how many threats your SEG is missing
The incident records the sender as carrying a risk_level: high flag at the time of delivery. That flag surfaces from IRONSCALES behavioral signals: the combination of external sender, absent DKIM, DMARC non-enforcement, and link verdicts that diverged from their display text.
The message's professional veneer (contract language, legal sign-off tone, award imagery in the footer) is consistent with business email compromise staging. BEC campaigns frequently establish credibility through one or more professional-looking messages before making a payment or wire-transfer request. This message fits that pattern: a thread-entry posture that builds familiarity before a potential follow-on demand.
Multiple recipient mailboxes were quarantined across a several-day mitigation window, indicating the campaign delivered to more than one address in the organization. The multi-recipient pattern is consistent with an attacker who surveyed an organization's contact list and targeted several individuals likely to interact with the impersonated firm.
For organizations assessing their exposure to this attack class, the key surface areas are authentication enforcement (moving DMARC from p=none to p=quarantine or p=reject) and inbound link-inspection coverage that evaluates resolved destinations rather than relying on display text alone.
| Type | Indicator | Context |
|---|---|---|
| Sender domain | Long-established professional-services domain, name withheld | DKIM absent; DMARC p=none; SPF pass via Mimecast relay |
| Malicious link (proxied) | hxxps://url[.]emailprotection[.]link/?bXVY5ha1EzUIGC4x-... | Display text showed attorney bio link; resolved destination scored malicious |
| Malicious link (proxied) | hxxps://url[.]emailprotection[.]link/?bFtQv3yGqxU177s3N... | Display text showed firm website URL; resolved destination scored malicious |
| Authentication result | SPF=pass; DKIM=none; DMARC=pass (p=none, no enforcement) | No cryptographic body integrity; enforcement disabled |
| Attachment | image002.png (29,812 bytes, MD5: 4c10f954756fc102a20552f371d4f2e2) | Award badge; scanned clean; no payload |
| Attack | What happened |
|---|---|
| The Security Tool That Delivered the $48,500 Invoice Fraud | A $48,500 invoice fraud routed through a Votiro email sanitization relay, which paradoxically introduced an SPF softfail. |
| Accounts Payable Display-Name Spoof Delivers a Teams-Branded Payment Lure to a CFO via SendGrid | Attackers registered astevenltd.com, set the From display name to an Accounts Payable identity. |
| The Invoice Attachment Was Empty. The Attack Was Not. | A past-due invoice email from a legitimate IT services provider passed SPF, DKIM, and DMARC via Amazon SES, carried a zero-byte PDF attachment. |
| The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion | A Gmail-authenticated BEC used a typosquat Reply-To domain and a hidden HTML mailto mismatch to impersonate a steel distributor's credit manager. |
| The PayPal Invoice That Passed Every Check Because PayPal Actually Sent It | A canceled PayPal invoice for $50 arrived with perfect SPF, DKIM, and DMARC authentication because PayPal's own infrastructure sent it. |