The Health Supplement That Harvested Credit Cards: How a French-Language Phishing Campaign Weaponized ActiveCampaign

It was a Wednesday morning when the CFO of a mid-size U.S. financial institution received a polished, professionally formatted email in French. The subject line read: "This 'healthy' food is sabotaging your joints." A branded header image. A personal greeting. A signature with a photo and handwritten-style name. Everything about it looked like an upscale European wellness newsletter. Everything except where the "learn more" button actually led.

Behind the health supplement pitch was a live payment fraud page, a fully functional checkout collecting credit card numbers, SEPA bank transfers, and PayPal credentials. The email wasn't spam that slipped through. It was a weaponized marketing campaign, sent through ActiveCampaign's authenticated infrastructure, targeting a financial executive who had never opted in.

A Wellness Newsletter With a Malicious Checkout

The email came from sante.optimale@bienetre-holistique[.]com, using the display name "Jean-Pierre Dubois." It was written entirely in French, using fear-based health marketing language. It warned the reader about a common food that was supposedly destroying their joint cartilage. The copy was professional, emotionally manipulative, and structured exactly like a legitimate direct-response health newsletter.

The call-to-action wasn't subtle. A large blue button reading "Discover what's suffocating your joints" dominated the layout, and the same link appeared three more times throughout the body text and postscript. Every instance pointed to a landing page on la-source-verte[.]com that funneled directly into the real payload at paiement-securise[.]optima-editions[.]com.

That checkout page was live. It displayed product pricing, a checkout form, and payment fields for credit cards, SEPA direct debit, and PayPal. A full-service fraud operation. According to third-party threat intelligence from Gridinsoft, the domain had been flagged as a scam just five days before this email was delivered, with a risk score of 0.78 (HIGH).

This is the kind of attack that challenges assumptions about what "phishing" looks like. There was no credential login page. No spoofed Microsoft portal. No urgency about a locked account. Instead, the FBI IC3's 2024 Internet Crime Report would categorize this under the $2.7 billion in phishing and BEC (Business Email Compromise) losses where social engineering drives the victim directly to a financial transaction, not a credential form.

The Attacker's Playbook: Legitimate Infrastructure, Fraudulent Intent

The campaign's infrastructure was deliberately designed to pass every authentication check on its first relay hop.

The attacker used ActiveCampaign, a well-known email marketing platform, to send the message. The original submission headers show clean authentication across the board:

• SPF: Pass (the sender IP 52[.]128[.]42[.]66 is an authorized ActiveCampaign server)
• DKIM: Pass (signatures verified for both bienetre-holistique[.]com and acems3[.]com)
• DMARC: Pass (composite authentication passed on original submission)

This is MITRE ATT&CK T1566.002: Phishing: Spearphishing Link combined with T1036.005 (Masquerading: Match Legitimate Name or Location). The attacker didn't spoof the mailing infrastructure. They used it. According to Verizon's 2025 Data Breach Investigations Report, phishing remains the initial access vector in 36% of breaches, and the abuse of legitimate services is a growing technique precisely because it eliminates the authentication red flags that gateways rely on.

The recipient's organization routes inbound email through a content sanitization gateway (Votiro), which re-processed the message body. This relay legitimately altered the DKIM body hash and changed the SPF evaluation context, meaning the later authentication checks showed DKIM failure and SPF softfail. But the damage model here isn't about authentication. The attacker's bet was that the email would render in the inbox, looking exactly like premium marketing content, and that the recipient would click.

The targeting was precise. The recipient, the CFO sitting in Executive Management, had received previous emails from this sender. The sender relation data showed a one-directional history: the sender had emailed the recipient before, but the recipient had never replied, and the sender had never contacted anyone else in the organization. That pattern (persistent, one-way, no organizational footprint) is a hallmark of list-based marketing abuse.

See Your Risk: Calculate how many threats your SEG is missing right now

The Signal That Stopped the Card Harvest

The email landed and was quarantined within seconds. IRONSCALES Adaptive AI identified the primary CTA URL as malicious. The paiement-securise[.]optima-editions[.]com checkout endpoint was already flagged across the platform's community threat intelligence network. The email was classified as phishing with 90% confidence, tagged as a VIP recipient alert, and the affected mailbox was mitigated before the CFO opened the message.

What makes this case instructive isn't just that the phishing was caught. It's what would have happened if it wasn't.

A CFO clicking through to a live payment page that accepts credit cards, SEPA transfers, and PayPal credentials is a direct financial exposure event. There's no credential reset that fixes a stolen card number. There's no password change that reverses a bank transfer. According to IBM's 2024 Cost of a Data Breach Report, the average cost of a phishing-initiated breach reached $4.88 million. That figure doesn't account for the direct card fraud losses that payment harvesting attacks produce.

The FTC reported that consumers lost over $10 billion to fraud in 2023, with imposter scams and online shopping fraud (categories this attack straddles) among the top reported loss categories. When phishing simulation training doesn't include non-English-language lures or payment-page scenarios, organizations leave a gap that campaigns like this exploit.

What This Campaign Teaches Defenders

This wasn't a crude phishing blast. It was a professionally built, multi-language marketing funnel with legitimate email infrastructure, authentic-looking content, and a live payment endpoint, targeting an executive with financial authority. Three things to take from it:

Foreign-language phishing is under-tested. Most security awareness programs simulate English-language attacks. Campaigns in French, German, Spanish, and other languages routinely bypass filters tuned for English-language phishing patterns. If your workforce includes multilingual employees, or if attackers don't care whether the language matches, you need detection that evaluates behavior, not just vocabulary.

Marketing platforms are attack infrastructure. ActiveCampaign, Mailchimp, SendGrid. Any platform that sends authenticated email on behalf of customers is a potential phishing vector. DMARC management won't catch these because the authentication is real. Detection has to move beyond authentication and into content, URL reputation, and behavioral analysis.

Payment fraud phishing doesn't look like credential phishing. The absence of a fake login page doesn't mean the absence of a threat. Payment harvesting pages are often more polished, more believable, and more immediately damaging than credential forms.

Indicators of Compromise