The email came from drive-shares-noreply@google[.]com. SPF passed for google.com. DKIM passed for google.com. DMARC passed for google.com. Every authentication check confirmed what was technically true: Google sent this email.
The display name read "Kirklаnd & Еllis Dеbt." At a glance, it looked like a notification from one of the world's largest law firms regarding a debt collection matter. The subject line reinforced the urgency: "Collection Correspondence Arrived. Pay Today!"
Four characters in that display name were not what they appeared to be.
The display name substituted Cyrillic characters for Latin ones. The "а" in "Kirklаnd" was Cyrillic (U+0430), not Latin (U+0061). The "Е" and "е" in "Еllis" and "Dеbt" were Cyrillic (U+0415 and U+0435). The "о" characters in the subject line were Cyrillic (U+043E). Every substitution was visually identical in Outlook, Gmail, Apple Mail, and mobile clients.
This is not a cosmetic trick. It is a functional evasion technique. Blocklists, display name spoofing detection rules, and string-matching filters all operate on code points, not visual appearance. A rule blocking "Kirkland" will never match "Kirklаnd" because the fourth character is a different Unicode code point. The name passes every text-based check while looking exactly right to every human reader.
The attacker created a Google account, set the display name to the homoglyph-laden law firm name, and shared a Google Drive file with the target. Google generated the sharing notification automatically. The email was composed, signed, and delivered by Google infrastructure. The attacker never touched a mail server.
The shared file linked to Google Drive file ID 1Pivb7Vi7SovDqOfj9DMk7Ft3ciGvK5NX. The reply-to address pointed to testsecafti1997@allclear[.]safeportalcheck[.]com, a domain registered on December 1, 2025, the same day as the attack. Same-day domain registration with privacy-protected WHOIS is a strong indicator of throwaway infrastructure. The reply-to was the only element in the entire email that the attacker controlled directly. Everything else was Google.
The pretext was impersonation of a well-known law firm threatening debt collection action. This pretext is deliberately chosen for its psychological impact. Recipients who believe a major law firm is contacting them about an outstanding debt are likely to act quickly and without verification. The urgency language ("Pay Today!") compressed the decision window further.
The attack required no phishing page, no malicious attachment, and no compromised infrastructure beyond a free Google account. The file shared through Google Drive could contain anything: a credential harvesting form, a redirect link, or further social engineering instructions. The delivery mechanism made it indistinguishable from a legitimate Google Drive share at every technical layer.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sending Address | drive-shares-noreply@google[.]com | Legitimate Google Drive sharing address |
| Display Name | Cyrillic homoglyphs: а (U+0430), Е (U+0415), е (U+0435), о (U+043E) | Substituted into law firm name |
| Reply-To | testsecafti1997@allclear[.]safeportalcheck[.]com | Domain registered 2025-12-01 (same day as attack) |
| Reply-To Domain | safeportalcheck[.]com | Same-day registration, privacy-protected WHOIS |
| Drive File | File ID 1Pivb7Vi7SovDqOfj9DMk7Ft3ciGvK5NX | Shared file (potential credential harvesting) |
| Auth Results | SPF: pass, DKIM: pass, DMARC: pass | Full authentication for google.com |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Google Drive sharing link as phishing delivery |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Cyrillic homoglyphs impersonating law firm display name |
| Attack | What happened |
|---|---|
| How ARC Re-Signing and an IP Allow-List Turned Three Authentication Failures Into SCL -1 | A phishing email claiming to be a OneDrive share from an outlook.com address originated from a county government mail server. |
| SafeLinks Wrapped the Phishing URL With the Recipient's Name on It | Microsoft SafeLinks rewrote a phishing URL and embedded the recipient's email address into the redirect chain. |
| The Phishing Link Lived on a Domain That Didn't Exist Nine Hours Earlier | A compromised university student account sent a phishing email that passed SPF, DKIM, and DMARC. |
| The Zoho Sign Request That Passed Every Check Except the Reply-To: Government Impersonation via E-Sign Infrastructure | A Zoho Sign document request passed SPF, DKIM, DMARC, and ARC. |
| DMARC Said Reject, the Gateway Said Deliver: Anthem Notification With Broken Authentication and a Casino Helpdesk | An Anthem health spending account notification failed SPF, DKIM, and DMARC with p=reject. |