Free Gmail Sender, Nigerian IP, Freshly Registered Reply-To: Inside a Bapco Energies Vendor BEC

The From line said the message came from Bapco Energies. It did not. The message came from a free Gmail account registered with no brand authority, sent from a server in Nigeria, with a Reply-To header quietly pointing at a domain registered just months earlier by an attacker who controls it entirely. Any reply from a procurement staff member would have gone straight to that attacker inbox, never touching Bapco.

This is business email compromise built around a single deception: make the sender line look authoritative while ensuring all conversation flows through attacker infrastructure.

Anatomy of a Vendor-Invitation Lure With No Links

The email subject was "Vendor Invitation." The body addressed recipients as "Dear Vendor" and claimed to originate from the Chief Procurement Officer of Bapco Energies, a real Bahraini national energy company. The CPO name used in the message appears to be fabricated. No web links appeared anywhere in the body. No attachments were included.

The absence of links is deliberate. Most SEG and email security filters spend the majority of their analytical budget on URLs: detonating them, checking reputation, tracing redirects. An email with no links at all often receives less scrutiny. The attacker's only ask was that the recipient hit Reply to discuss "vendor qualification," at which point the reply-to header silently routes the conversation to the attacker's domain.

The FBI IC3 2024 report recorded over $2.9 billion in BEC losses, with vendor-impersonation schemes among the fastest-growing subcategories. Many of those losses start exactly like this: a low-friction first contact that asks for nothing except a reply.

Two Lookalike Domains Built to Absorb Replies

The attacker registered two domains to backstop this campaign:

bapco-energies[.]net was the Reply-To address. Registered through Tucows with a November 2025 registration date, it mimics the legitimate bapcoenergyservices.com corporate domain. Any recipient who replied to this email would have been corresponding with whoever controls that inbox.

bapcoenergies-procurement[.]com was registered through Hostinger in February 2026. It was in clientHold status at the time of analysis, meaning it had been registered but not yet actively deployed, likely held in reserve for a follow-up stage of the campaign (a fake vendor portal, a document-signing link, or a payment-instruction page).

See Your Risk: Calculate how many threats your SEG is missing

Domain registration intelligence is a reliable early-warning signal for this attack class. Freshly registered domains with no web presence, combined with a hyphenated variant of a recognizable brand, and pointed at a country-code TLD mismatch (.net or .com instead of .bh for Bahrain), are attacker staging infrastructure. The MITRE ATT&CK T1566 technique for phishing documents lookalike domain registration as a consistent pre-attack preparation step.

What the Sending Infrastructure Reveals

The originating IP was 105[.]116[.]13[.]203, geolocating to Rivers State, Nigeria, with no PTR record. Bapco Energies is a Bahraini state enterprise. A vendor outreach from a Bahraini procurement officer would not originate from a residential or commercial IP in Nigeria with no reverse DNS.

That geographic and infrastructure mismatch is a concrete attacker artifact even before examining the lookalike domains. The Verizon 2026 Data Breach Investigations Report identifies 39% of breaches involving credentials across the kill chain, and BEC attacks like this one often precede credential theft once the attacker has established conversational rapport and can send a fake document portal link.

The free Gmail sender (bapcoenergies605@gmail[.]com) passed SPF and DKIM checks for gmail.com, not for bapco. That distinction matters: a filter that checks only whether authentication passed would see a pass. A filter that checks whether the authenticated domain matches the display-name brand would flag the mismatch immediately.

Why This Landed and What Stopped It

IRONSCALES threat intelligence flagged this email with a 53% Themis confidence score and escalated it to manual review. The manual reviewer initially approved it as benign, which is worth noting: the absence of links and the polished vendor-inquiry framing is convincing enough to fool human reviewers under time pressure. The incident was later re-evaluated.

This is exactly the failure mode BEC is designed for. The Microsoft Digital Defense Report 2024 notes that BEC attacks are increasingly built to pass human review precisely by avoiding the technical artifacts that humans have been trained to look for (links, attachments, urgency language).

IRONSCALES business email compromise protection combines header-layer reply-to mismatch detection with behavioral modeling of sender-recipient history. A first-contact Gmail sender impersonating a Bahraini energy company and targeting Wisconsin school-district procurement staff has zero prior relationship baseline, a flag that behavioral models can surface even when the email contains no malicious payload. Vendor email compromise schemes that rely on reply-to diversion rather than lookalike domains are especially challenging for human reviewers, which is why automated behavioral detection matters more here than in link-based attacks.

The Lookalike Domains Driving the Diversion

---

Sources: FBI IC3 2024 Report | Verizon DBIR 2026 | Microsoft Digital Defense Report 2024 | MITRE ATT&CK T1566 | CISA Phishing Guidance