The email subject read "client engagement strategies." SPF passed. DKIM passed. DMARC passed. Composite authentication returned compauth=pass with reason code 100, the highest confidence score Microsoft assigns. The spam confidence level was 1. The single embedded link pointed to a real Google Docs document that scanned clean.
Every automated check said this message was legitimate. None of them were right.
The sender, "Oliver Henriksen" at oliver.henriksen8@nordicaigrowth[.]pro, was operating from a purpose-registered M365 tenant. The domain nordicaigrowth[.]pro was configured with a valid selector1 DKIM key, proper SPF records authorizing Microsoft infrastructure, and a DMARC policy that aligned both checks. ARC seals at hop i=1 and i=2 both passed. This was not a compromised account piggybacking on someone else's reputation. This was infrastructure built specifically to look trustworthy to email filters.
The .pro TLD is the quiet middle ground attackers favor: more credible than .xyz or .top, cheaper and less scrutinized than .com. Combined with a business-sounding domain name and a full Microsoft 365 stack, the result is an email that authentication was designed to approve.
Two header details told a different story than the authentication results.
First, the X-ClientProxiedBy header showed the sender's SMTP session was proxied through CH2PR20CA0014.namprd20.prod.outlook.com, a US-based Microsoft frontend. But the originating mailbox server was MA0P287MB2895.INDP287.PROD.OUTLOOK.COM, an India-region M365 instance. A sender claiming to represent a "Nordic AI growth" consultancy, connecting from a US proxy, with a mailbox hosted in India. That geographic mismatch is invisible to SPF, DKIM, and DMARC.
Second, the message carried an In-Reply-To header referencing a message ID that the recipient had never sent. This fabricated thread reference was designed to make the email appear as a reply to an ongoing conversation, a social engineering technique that increases open rates and suppresses suspicion by implying prior context.
The body itself was minimal: a short, vague message with a single Google Docs link. The document scanned clean because it was a real Google Docs URL. Whatever credential harvesting or secondary payload lived inside the document sat one click past the scanner's evaluation boundary.
Themis, the IRONSCALES Adaptive AI engine, flagged the message at 84% confidence and automatically resolved it as phishing. Three mailboxes were quarantined before any employee interacted with the message.
The signals were entirely behavioral: a first-time sender from a .pro domain with no prior relationship to the organization, a vague subject line with no specific business context, geographic routing inconsistencies between the proxy and mailbox regions, and a fabricated conversation thread. No single signal was definitive. Together, they formed a pattern that authentication alone could never evaluate.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sending Domain | nordicaigrowth[.]pro | Purpose-registered domain with full M365 tenant |
| Sender Address | oliver.henriksen8@nordicaigrowth[.]pro | First-time sender, no prior relationship |
| DKIM Selector | selector1 (d=nordicaigrowth[.]pro) | Valid M365-issued DKIM signing key |
| Mailbox Server | MA0P287MB2895.INDP287.PROD.OUTLOOK.COM | India-region M365 instance |
| Client Proxy | CH2PR20CA0014.namprd20.prod.outlook.com | US-based proxy (geographic mismatch with India mailbox) |
| Payload URL | hxxps://docs.google[.]com/document/d/[redacted]/edit | Real Google Docs link, scanned clean, likely secondary payload host |
| Subject | "client engagement strategies" | Vague, low-context business pretext |
| In-Reply-To | Fabricated message reference | Thread injection to simulate prior conversation |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Google Docs link as primary delivery vector |
| Acquire Infrastructure: Domains | T1583.001 | Purpose-registered .pro domain for campaign infrastructure |
| Acquire Infrastructure: Web Services | T1583.006 | Dedicated M365 tenant provisioned for authenticated email delivery |