# Fake IT Verification Notice Spoofs Internal M365 Routing to Deliver Cloudflare-Proxied Credential Harvest
An employee at an industrial-automation and distribution firm received what looked like an internal IT notification: "Your email account will be blocked in 48 hours unless you verify it now." The Sender field pointed to a SystemMailbox in their own organization's Microsoft 365 tenant. The visible From address was an external domain most recipients would never think to inspect. The link behind the "VERIFY EMAIL" button included their email address pre-loaded in the URL query string.
The message was crafted to mimic the appearance of an automated IT governance alert from within the organization. The Sender header and Reply-To both referenced a SystemMailbox{...} address in the target organization's onmicrosoft.com tenant, which is the kind of automated mailbox designation that M365 uses for internal workflow notifications. The visible From header, however, read an external sender domain (anonymized), an external domain registered under privacy protection with no publicly verifiable business identity.
The body contained a 48-hour account-block threat, grammatical irregularities, and a single prominent "VERIFY EMAIL" button. The CTA resolved to hxxps://online[.]characteristics[.]today/introduction[.]html?plain=[recipient-email-redacted]. The recipient's email address was embedded in the plain= parameter, a technique that personalizes the landing page at the moment of click to pre-populate a fake login form and increase the appearance of legitimacy.
The technical detail that makes this attack notable is the SystemMailbox routing. Most users, and many filters, look at the Sender field and the display context of a notification rather than parsing the From header. A SystemMailbox designation in the onmicrosoft.com tenant reads as authoritative to anyone familiar with Microsoft 365's internal messaging. It creates the visual impression that the organization's own IT systems generated the alert.
The underlying From address, an external sender domain (anonymized), was the actual origin. The message traversed Microsoft 365's own infrastructure (internal Exchange transport hops) before reaching the recipient mailbox, which is consistent with cross-tenant routing patterns abused by attackers who submit messages through hosted approval or relay workflows in the target tenant.
Impersonation attacks that borrow legitimate internal routing signals are harder to catch with rules-based filtering because the message touches real organizational infrastructure. The malicious content is the destination URL, not the sending path.
See Your Risk: Calculate how many threats your SEG is missing
The link online[.]characteristics[.]today was flagged malicious in the incident record. The domain resolves through Cloudflare proxying (172[.]67[.]217[.]195, 104[.]21[.]17[.]3), which obscures the real hosting origin. At analysis time, the landing page returned HTTP 404, indicating either a takedown, a time-limited campaign, or a gated page that only activates for known targets. The embedded recipient parameter in the URL (plain=[recipient-email]) is a standard indicator of targeted credential harvesting regardless of whether the form was reachable.
Themis (our Adaptive AI) surfaced the header identity mismatch (external From vs. internal SystemMailbox Sender) as a structural anomaly, combined it with the malicious link verdict, the 48-hour urgency language, and the high sender-risk score for [external-sender-domain] as a first-time external sender. No individual signal was sufficient alone; the behavioral cluster produced the phishing classification.
This attack exploited the gap between what a user sees (internal Sender routing) and what the message headers record (external From address). Defenders should:
?plain= or ?email= parameter containing the recipient's address is a targeting signal.See the MITRE ATT&CK technique references at https://attack.mitre.org/techniques/T1566/ and https://attack.mitre.org/techniques/T1598/.
| Type | Value | Notes |
|---|---|---|
| Actual From | an external sender domain (anonymized) | External attacker-controlled domain |
| Sender/Reply-To | SystemMailbox in [org][.]onmicrosoft[.]com | Victim tenant routing; anonymized |
| Malicious URL | hxxps://online[.]characteristics[.]today/introduction[.]html?plain=[recipient-redacted] | Credential-harvest lure; recipient pre-embedded |
| Malicious domain | online[.]characteristics[.]today | Flagged malicious; Cloudflare-proxied |
| IP | 172[.]67[.]217[.]195 | Cloudflare proxy for characteristics.today |
| IP | 104[.]21[.]17[.]3 | Cloudflare proxy for characteristics.today |
| Landing page status | HTTP 404 at analysis time | Gated or time-limited campaign |
| Pretext | 48-hour email-block threat | Urgency template; grammatical errors present |
| Attack | What happened |
|---|---|
| The Phishing Link Lived on a Domain That Didn't Exist Nine Hours Earlier | A compromised university student account sent a phishing email that passed SPF, DKIM, and DMARC. |
| The Health Spending Account Alert That Rode a Benefits Administrator's Own Infrastructure | An Anthem-branded spending account notification routed through a legitimate benefits administrator's redirect infrastructure. |
| How ARC Re-Signing and an IP Allow-List Turned Three Authentication Failures Into SCL -1 | A phishing email claiming to be a OneDrive share from an outlook.com address originated from a county government mail server. |
| SafeLinks Wrapped the Phishing URL With the Recipient's Name on It | Microsoft SafeLinks rewrote a phishing URL and embedded the recipient's email address into the redirect chain. |
| The Zoho Sign Request That Passed Every Check Except the Reply-To: Government Impersonation via E-Sign Infrastructure | A Zoho Sign document request passed SPF, DKIM, DMARC, and ARC. |