The email came from a Gmail account. SPF passed. DKIM passed. DMARC passed. The signature block included a corporate title, a direct phone number, a company logo, and three links to the real company website. Every URL scanned clean. The spam confidence level was low.
The only thing wrong was a single extra letter in a domain name that most people would never look at.
The sender claimed to be a credit manager at a large steel distribution company. The From address was a Gmail account (dellacunnin27@gmail[.]com), but the Reply-To was set to tyler.harris@mill-steels[.]com. The real company domain is millsteel[.]com. One extra letter, one extra "s," and every reply would route to the attacker instead of the real vendor.
This is the core of the attack. SPF, DKIM, and DMARC validated the Gmail sending path, which was technically legitimate. None of those protocols evaluate the Reply-To field. The authentication system confirmed the email came from Gmail. It said nothing about whether the person behind it was authorized to request a payment change on behalf of a steel distributor.
The corporate signature was detailed: "TylerHarris | Credit Manager" with a St. Louis area code phone number, a professional email address at millsteel[.]com, and links to the company's building products pages. Surface-level verification would find a real company at those URLs.
But the HTML told a different story. The displayed email in the signature showed one name, while the underlying mailto: href pointed to a different person entirely at the same domain. That mismatch, invisible to anyone reading the email normally, revealed the signature was copied from a real employee's email and incompletely modified. The attacker changed the visible name but forgot to update the anchor target underneath.
The body was direct: "Please confirm that you've received our updated banking information and let us know the date of the next scheduled payment." No attachment. No link to click. No credential form. Just a social engineering request designed to get a finance team to redirect real money to a new account.
Themis, the IRONSCALES Adaptive AI engine, flagged the message on behavioral signals: a first-time Gmail sender claiming corporate vendor authority, a Reply-To on a domain that did not match the signature links, and payment-change language in the body. The mailbox was quarantined automatically.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender Address | dellacunnin27@gmail[.]com | Gmail account impersonating steel distributor credit manager |
| Reply-To Domain | mill-steels[.]com | Typosquat of legitimate millsteel[.]com (extra "s") |
| Reply-To Address | tyler.harris@mill-steels[.]com | Attacker-controlled Reply-To for payment diversion |
| Legitimate Links | millsteel[.]com/building-products | Real company URLs used as trust anchors |
| Phone Number | 314 area code | St. Louis region, not independently verified to company |
| HTML Anchor | Mailto href mismatch | Displayed email differs from underlying anchor target |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Attachment | T1566.001 | Email-based social engineering for payment diversion |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Typosquat domain and copied corporate signature |