• Blog
  • The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion

The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion

Table of Contents

    TL;DR A phishing email impersonating a credit manager at a major steel distributor arrived from a Gmail account with full SPF, DKIM, and DMARC authentication. The attacker set the Reply-To to a typosquat domain that added a single letter to the legitimate company domain. Every link in the signature pointed to the real company website. A hidden HTML anchor mismatch in the signature revealed a second identity embedded in the mailto href, a different name than the one displayed. The message requested confirmation of updated banking information and the date of the next scheduled payment, a classic payment diversion play. Themis flagged the attack on behavioral signals. The mailbox was quarantined before any response was sent.
    Severity: High Bec Invoice Fraud MITRE: {'id': 'T1566.001', 'name': 'Phishing: Spearphishing Attachment'} MITRE: {'id': 'T1534', 'name': 'Internal Spearphishing'} MITRE: {'id': 'T1036.005', 'name': 'Masquerading: Match Legitimate Name or Location'}

    The email came from a Gmail account. SPF passed. DKIM passed. DMARC passed. The signature block included a corporate title, a direct phone number, a company logo, and three links to the real company website. Every URL scanned clean. The spam confidence level was low.

    The only thing wrong was a single extra letter in a domain name that most people would never look at.

    The Typosquat That Changed Everything

    The sender claimed to be a credit manager at a large steel distribution company. The From address was a Gmail account (dellacunnin27@gmail[.]com), but the Reply-To was set to tyler.harris@mill-steels[.]com. The real company domain is millsteel[.]com. One extra letter, one extra "s," and every reply would route to the attacker instead of the real vendor.

    This is the core of the attack. SPF, DKIM, and DMARC validated the Gmail sending path, which was technically legitimate. None of those protocols evaluate the Reply-To field. The authentication system confirmed the email came from Gmail. It said nothing about whether the person behind it was authorized to request a payment change on behalf of a steel distributor.

    The Signature That Almost Held Up

    The corporate signature was detailed: "TylerHarris | Credit Manager" with a St. Louis area code phone number, a professional email address at millsteel[.]com, and links to the company's building products pages. Surface-level verification would find a real company at those URLs.

    But the HTML told a different story. The displayed email in the signature showed one name, while the underlying mailto: href pointed to a different person entirely at the same domain. That mismatch, invisible to anyone reading the email normally, revealed the signature was copied from a real employee's email and incompletely modified. The attacker changed the visible name but forgot to update the anchor target underneath.

    The Ask

    The body was direct: "Please confirm that you've received our updated banking information and let us know the date of the next scheduled payment." No attachment. No link to click. No credential form. Just a social engineering request designed to get a finance team to redirect real money to a new account.

    Themis, the IRONSCALES Adaptive AI engine, flagged the message on behavioral signals: a first-time Gmail sender claiming corporate vendor authority, a Reply-To on a domain that did not match the signature links, and payment-change language in the body. The mailbox was quarantined automatically.

    See Your Risk: Calculate how many threats your SEG is missing

    Indicators of Compromise

    TypeIndicatorContext
    Sender Addressdellacunnin27@gmail[.]comGmail account impersonating steel distributor credit manager
    Reply-To Domainmill-steels[.]comTyposquat of legitimate millsteel[.]com (extra "s")
    Reply-To Addresstyler.harris@mill-steels[.]comAttacker-controlled Reply-To for payment diversion
    Legitimate Linksmillsteel[.]com/building-productsReal company URLs used as trust anchors
    Phone Number314 area codeSt. Louis region, not independently verified to company
    HTML AnchorMailto href mismatchDisplayed email differs from underlying anchor target

    MITRE ATT&CK Mapping

    TechniqueIDRelevance
    Phishing: Spearphishing AttachmentT1566.001Email-based social engineering for payment diversion
    Masquerading: Match Legitimate Name or LocationT1036.005Typosquat domain and copied corporate signature
    Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 30,000+ security professionals. Each post breaks down one attack — what it looked like, why it worked, and what you can do about it.

    Explore More Articles

    Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.

    The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion Phishing

    The Reply-To Was One Letter Off: How a Typosquat...

    TL;DR A phishing email impersonating a credit manager at a major steel distributor arrived from a...

    Audian Paxson
    Amazon Said You Owe $879. The Phone Number Was the Payload. Phishing

    Amazon Said You Owe $879. The Phone Number Was...

    TL;DR An email purporting to be from Amazon.de passed DKIM and DMARC authentication. The initial...

    Audian Paxson
    The .com That Wasn't the .org: TLD Confusion in a Payroll Email With an Empty Body Phishing

    The .com That Wasn't the .org: TLD Confusion in a...

    TL;DR An email with the subject 'Annual Salary wages and Employer Provided Benefits' arrived from...

    Audian Paxson
    The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion Phishing

    The Reply-To Was One Letter Off: How a Typosquat...

    TL;DR A phishing email impersonating a credit manager at a major steel distributor arrived from a...

    Audian Paxson
    Amazon Said You Owe $879. The Phone Number Was the Payload. Phishing

    Amazon Said You Owe $879. The Phone Number Was...

    TL;DR An email purporting to be from Amazon.de passed DKIM and DMARC authentication. The initial...

    Audian Paxson
    The .com That Wasn't the .org: TLD Confusion in a Payroll Email With an Empty Body Phishing

    The .com That Wasn't the .org: TLD Confusion in a...

    TL;DR An email with the subject 'Annual Salary wages and Employer Provided Benefits' arrived from...

    Audian Paxson
    The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion Phishing

    The Reply-To Was One Letter Off: How a Typosquat...

    TL;DR A phishing email impersonating a credit manager at a major steel distributor arrived from a...

    Audian Paxson
    Amazon Said You Owe $879. The Phone Number Was the Payload. Phishing

    Amazon Said You Owe $879. The Phone Number Was...

    TL;DR An email purporting to be from Amazon.de passed DKIM and DMARC authentication. The initial...

    Audian Paxson
    The .com That Wasn't the .org: TLD Confusion in a Payroll Email With an Empty Body Phishing

    The .com That Wasn't the .org: TLD Confusion in a...

    TL;DR An email with the subject 'Annual Salary wages and Employer Provided Benefits' arrived from...

    Audian Paxson
    The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion Phishing

    The Reply-To Was One Letter Off: How a Typosquat...

    TL;DR A phishing email impersonating a credit manager at a major steel distributor arrived from a...

    Audian Paxson
    Amazon Said You Owe $879. The Phone Number Was the Payload. Phishing

    Amazon Said You Owe $879. The Phone Number Was...

    TL;DR An email purporting to be from Amazon.de passed DKIM and DMARC authentication. The initial...

    Audian Paxson
    The .com That Wasn't the .org: TLD Confusion in a Payroll Email With an Empty Body Phishing

    The .com That Wasn't the .org: TLD Confusion in a...

    TL;DR An email with the subject 'Annual Salary wages and Employer Provided Benefits' arrived from...

    Audian Paxson