A freight invoice rebill request arrived at a logistics and distribution company, addressed to three employees. The subject referenced a specific case number and FedEx Freight invoice. The sender was "Coordinator23" at coordinator23@fedexfreight[.]com. DKIM passed with a signature aligned to fedexfreight[.]com. DMARC passed. CompAuth returned reason=100. The email was sent through FedEx Freight's own Salesforce CRM instance.
The message contained no malicious links. No attachments. The payload was the text itself: a request to change the bill-to entity on invoice #0584162950.
The email originated from Salesforce Email-as-a-Service infrastructure (smtp-0e846264ca9e07764[.]core1[.]sfdc-yfeipo[.]mta[.]salesforce[.]com, IP 23[.]23[.]72[.]98). The DKIM signature was signed with selector sfafxfpr03112026 under d=fedexfreight[.]com. The X-SFDC-EmailCategory header was set to quickActionEmail, confirming the message was dispatched via a Salesforce Quick Action, a CRM feature that lets agents send emails directly from case records.
This is not an attacker spoofing FedEx Freight. This is an email that passed through FedEx Freight's actual CRM sending infrastructure, carrying a valid cryptographic signature for their domain. The Salesforce entity ID (500QU00001PKr4X) and the extremely long Salesforce VERP bounce address in the Return-Path both confirm the message was generated inside a real Salesforce org.
The email was then relayed through a Securence gateway (maild8110391[.]static[.]msp[.]securence[.]com, IP 216[.]17[.]3[.]145). SPF passed at the Securence hop for the Salesforce bounce domain, but the final receiving server recorded an SPF softfail at 216[.]17[.]3[.]145 because the Securence relay IP was not in the original sender's SPF record. This is a known artifact of gateway relaying, not a detection signal the attacker introduced intentionally.
The email asked the recipient to rebill a freight invoice to a different entity. There was nothing to scan. No URL reputation to check. No attachment to detonate. The business email compromise was the message content: a routine-sounding operational request that, if fulfilled, would redirect billing obligations to a third party.
This class of attack is effective precisely because it mirrors legitimate business communication. Freight invoice adjustments, rebills, and bill-to changes are normal operational traffic in logistics. The attacker relied on the context of the request, not a technical exploit, to achieve the objective.
See Your Risk: Calculate how many threats your SEG is missing
Themis scored the message at 83% confidence with an "Invoice Phishing" label. Four mailboxes were quarantined. The Securence gateway's own Bayesian classifier had scored the message at 5.2, an elevated risk signal that did not trigger a block.
The detection was driven by behavioral analysis: a first-time sender addressing multiple recipients with a financial action request, combined with an invoice modification pattern targeting a logistics company. Authentication was clean. Infrastructure was legitimate. The only anomaly was the relationship, or rather the absence of one, between this specific sender and the recipient organization.
When a freight invoice rebill or bill-to change arrives from a first-time sender, verify the request through a known contact at the carrier, not by replying to the email. Legitimate CRM infrastructure does not make a legitimate request.
| Type | Indicator | Context |
|---|---|---|
| Sender Email | coordinator23@fedexfreight[.]com | Salesforce CRM-generated sender |
| Salesforce MTA | smtp-0e846264ca9e07764[.]core1[.]sfdc-yfeipo[.]mta[.]salesforce[.]com | Salesforce EaaS relay |
| Salesforce IP | 23[.]23[.]72[.]98 | Salesforce sending IP |
| DKIM Selector | sfafxfpr03112026 (d=fedexfreight[.]com) | Valid DKIM signature for FedEx Freight domain |
| Salesforce Entity | 500QU00001PKr4X | Salesforce Case entity ID |
| Securence Gateway | maild8110391[.]static[.]msp[.]securence[.]com | Security gateway relay |
| Securence IP | 216[.]17[.]3[.]145 | Securence relay IP (caused SPF softfail) |
| Invoice Number | 0584162950 | Referenced FedEx Freight invoice |
| Case Number | 03276500 | Referenced case number in subject |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Targeted email delivered via CRM case management infrastructure |
| Compromise Accounts: Email Accounts | T1586.002 | Access to FedEx Freight Salesforce org to send authenticated email |
| Impersonation | T1656 | Operational role impersonation as freight coordinator |
| Attack | What happened |
|---|---|
| The Graduation Sash Invoice That Every Security Check Approved | A $3,645 invoice for 55 custom graduation sashes arrived at a school district, sent through Shopify's legitimate email infrastructure. |
| The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion | A Gmail-authenticated BEC used a typosquat Reply-To domain and a hidden HTML mailto mismatch to impersonate a steel distributor's credit manager. |
| Past Due Invoice, Future Wire Fraud: How a BEC Campaign Passed Every Authentication Check | A BEC invoice diversion attack impersonated a known vendor contact through SendGrid, passed SPF/DKIM/DMARC. |
| One Missing Letter, One Stolen Payment: A Reply-To Typosquat That Beat the Spam Score | A typosquatted Reply-To domain misspelled 'Missouri' as 'Missuori' to intercept invoice payments. |
| The $19,500 Invoice From a Domain That Didn't Exist Last Week | An invoice fraud campaign delivered a $19,500 bill payment reminder through SendGrid from a domain registered days earlier. |