TL;DR A French-language health newsletter delivered through ActiveCampaign's mailing infrastructure passed SPF, DKIM, and DMARC at origin. A Votiro Content Disarm and Reconstruction relay then modified the message body, invalidating the DKIM body hash and triggering an SPF softfail. Despite those failures, the relay was allowlisted in the recipient environment. Among dozens of clean marketing and unsubscribe links, a single CTA directed to a live payment fraud page collecting credit card, SEPA, and PayPal data. The case demonstrates how CDR relays can simultaneously break authentication and launder delivery, and why single-link detection in high-link-density messages remains a critical gap.
Severity: High Payment-Fraud Phishing MITRE: T1566.002 MITRE: T1036.005 MITRE: T1204.001 MITRE: T1583.001
SPF passed. DKIM passed. DMARC passed. Then a trusted security relay re-processed the message, broke the DKIM body hash, introduced an SPF softfail, and delivered it anyway because the relay was allowlisted. The email was a French-language health newsletter promoting joint supplements. The call-to-action button labeled "confirme" pointed to a live payment fraud page collecting credit card numbers, SEPA bank details, and PayPal credentials.
This is a case where authentication told three different stories depending on where in the relay chain you checked. And the one link that mattered hid among dozens of clean marketing URLs.
Three Authentication Verdicts for the Same Message
The email originated from sante[.]optimale@bienetre-holistique[.]com with a display name impersonating an individual sender. It was sent through ActiveCampaign, a legitimate bulk email platform, from IP 52[.]128[.]42[.]65. At the point of original submission, authentication was clean across the board:
- SPF: Pass (the sending IP is an authorized ActiveCampaign server)
- DKIM: Pass (valid signatures for both
bienetre-holistique[.]com and acems3[.]com)
- DMARC: Pass (composite authentication aligned on the From domain)
Then the message hit a Votiro Content Disarm and Reconstruction (CDR) relay at votiro-relay1[.]prod[.]votiro[.]com (44[.]206[.]213[.]130). CDR systems are designed to neutralize embedded threats by reconstructing message content. In doing so, Votiro altered the message body. That alteration invalidated the DKIM body hash (the bh= value in the DKIM-Signature header no longer matched the modified content). SPF also softfailed because the relay forwarded the message from its own infrastructure, an IP not listed in bienetre-holistique[.]com's SPF record.
Under normal circumstances, a DKIM failure paired with an SPF softfail would raise flags. But Votiro is a recognized security vendor. Its relay IPs are routinely allowlisted in recipient environments. The authentication failures were overridden by the trust relationship, and the message reached the inbox.
This maps directly to MITRE ATT&CK T1036.005: Masquerading, Match Legitimate Name or Location. The attacker did not need to defeat authentication. They needed to send from infrastructure that would authenticate at origin and survive the relay chain, even if authentication broke along the way.
A Newsletter That Was (Mostly) Real
The email subject translated to "What if your joints just needed these 3 things?" The body was written entirely in French, using direct-response health marketing language. It promoted a joint health supplement with the emotional urgency typical of wellness advertising. A List-Unsubscribe header was present. Tracking links routed through ActiveCampaign's emlnk9 and activehosted domains. The formatting, tone, and structure were consistent with a legitimate commercial newsletter.
The attacker's bet was camouflage through volume. Dozens of links in the message were clean: unsubscribe URLs, marketing tracking redirects, newsletter management links. One was not. The primary CTA, styled as a "confirme" button, pointed to:
hxxps://paiement-securise[.]optima-editions[.]com/OPTVTV1-202621895153135
That URL hosted a live checkout page. It rendered a payment form accepting Carte Bancaire credit cards, SEPA/IBAN direct debit, and PayPal. Third-party threat intelligence classified the domain as a scam with a risk score of 0.85 (HIGH). The domain optima-editions[.]com was registered in September 2019 via a privacy proxy with no DNSSEC. Its CloudFront CDN hosting showed a PTR record mismatch, a hallmark of infrastructure designed for disposability rather than accountability.
A secondary domain, la-source-verte[.]com, was also referenced in the email body. Registered in January 2025, it was significantly newer than the other infrastructure, consistent with a staged funnel where one domain handles the pitch and another handles the extraction.
See Your Risk: Calculate how many threats your SEG is missing
The Detection Gap: One Malicious Link in a Sea of Clean Ones
This is the core problem the attack exploits. A Secure Email Gateway (SEG) evaluating this message sees a fully authenticated newsletter from a known ESP, a message body with no attachment, no executable, no macro, and a link profile dominated by legitimate ActiveCampaign tracking URLs. The single malicious link is a minority signal buried in a majority of clean data.
According to the 2026 Verizon Data Breach Investigations Report, phishing remains the initial access vector in 16% of confirmed breaches, with 80% of gateway-intercepted phishing being plain link-based lures. But that 80% figure assumes the gateway actually inspects and scores the link. In a high-link-density message like this newsletter, static reputation checks on the ESP's tracking domains return clean verdicts for nearly every URL. The payment domain only surfaces as malicious if the scanner follows every link to its final destination and evaluates the landing page behavior.
IRONSCALES Adaptive AI flagged this message through a combination of signals that no single check would have caught alone: the payment URL's domain reputation, the mismatch between a health newsletter and a financial checkout endpoint, privacy-shielded registration with CDN hosting, and no prior sender relationship with the recipient organization. Community intelligence from 35,000+ security professionals across the IRONSCALES network had already correlated the payment domain with prior fraud campaigns, accelerating classification.
The CDR relay complication actually created an additional detection surface. Because the Votiro relay broke DKIM, the message arrived with a mixed authentication fingerprint (original pass, relay fail) that behavioral models can use as a risk signal, provided the system is not configured to suppress alerts from allowlisted relay IPs.
MITRE ATT&CK Mapping
| Technique ID | Name | Relevance |
|---|
| T1566.002 | Phishing: Spearphishing Link | Primary delivery via embedded payment fraud URL |
| T1036.005 | Masquerading: Match Legitimate Name or Location | ActiveCampaign ESP abuse for authenticated delivery |
| T1204.001 | User Execution: Malicious Link | Requires victim to click the "confirme" CTA |
| T1583.001 | Acquire Infrastructure: Domains | Privacy-shielded payment domain with CloudFront hosting |
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Domain | bienetre-holistique[.]com | Sender domain, ActiveCampaign-hosted |
| Domain | paiement-securise[.]optima-editions[.]com | Payment fraud checkout page |
| Domain | la-source-verte[.]com | Secondary funnel domain (registered Jan 2025) |
| Domain | acems3[.]com | ActiveCampaign DKIM signing domain |
| Domain | votiro-relay1[.]prod[.]votiro[.]com | CDR relay that broke DKIM body hash |
| Email | sante[.]optimale@bienetre-holistique[.]com | Sender address |
| URL | hxxps://paiement-securise[.]optima-editions[.]com/OPTVTV1-202621895153135 | Direct payment fraud checkout URL |
| IP | 52[.]128[.]42[.]65 | ActiveCampaign sending IP (SPF pass at origin) |
| IP | 44[.]206[.]213[.]130 | Votiro CDR relay IP (SPF softfail) |
Hardening Your Relay Chain
Audit your allowlists. CDR and sanitization relays serve a legitimate purpose, but blanket allowlisting suppresses authentication failure signals. If your relay breaks DKIM, your downstream detection should still evaluate the message, not auto-trust it. Configure your environment to log and score authentication state changes across relay hops, even for trusted vendors.
Scan every link, not just the suspicious ones. High-link-density messages are a deliberate evasion pattern. If your gateway samples links or prioritizes known-bad domains, a single novel payment URL surrounded by dozens of clean ESP tracking links will pass unscored. Follow every URL to its final landing page.
Treat payment pages as high-risk endpoints. A checkout form collecting card numbers and bank details is not a credential harvesting page, but the financial exposure is more immediate. DMARC monitoring catches spoofed senders. It does not catch a legitimate ESP delivering a newsletter with one poisoned link to a payment fraud page. That distinction matters when layering controls.
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 30,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
