The "Revise Now" button sat inside what looked like a forwarded thread from a UK financial services firm. The signature links pointed to real company pages. The formatting matched a professional email chain. But the button itself routed through three Google-owned domains before landing on a Turkish website that had no connection to payment processing, invoicing, or the claimed sender.
The CTA link followed a path designed to exploit how link scanners evaluate reputation. The first hop hit meet.google[.]com/linkredirect, a legitimate Google Meet redirect endpoint. From there, the chain moved to google[.]com/url, Google's general-purpose URL redirect service. The third hop landed on adservice.google.com[.]ph, Google's Philippines ad-serving subdomain.
Each of those three domains belongs to Google. Each carries a clean reputation. A secure email gateway scanning the link sees Google infrastructure at every stage and returns a clean verdict. The fourth and final hop, mgokurumsal.com[.]tr, is an unrelated Turkish domain with no DMARC policy and no connection to Google, payment processing, or the financial services firm whose thread was hijacked.
Link scanners that evaluate only the first domain in a redirect chain, or that stop following hops once they reach a trusted provider, will never see this destination. The attacker is not hiding the malicious endpoint behind one trusted redirect. They are stacking three of them.
The email body contained two visually distinct sections. The lower portion was a forwarded thread attributed to a UK financial services domain (wellfinancial.co[.]uk). Signature links in that section resolved to real pages on the legitimate company website, reinforcing the appearance of a genuine business conversation.
The upper portion, containing the "Revise Now" CTA and references to "Payment Instructions, Acceptance Letter & Invoice #27652," was injected separately. The seam between the two sections was visible in the source: broken placeholder image tags, inconsistent formatting, and a visual break that did not match the forwarded thread's styling. This is template injection, a technique where attackers graft a malicious content block onto a legitimate-looking email thread to borrow its credibility.
The message was sent from a parameterized address at issot.awsapps[.]com through Amazon SES. SPF passed for amazonses[.]com. DKIM passed for both issot.awsapps[.]com and amazonses[.]com. Composite authentication passed. The sender was a first-time contact with high risk classification, and the recipient's gateway displayed an external phishing warning banner. Despite those signals, the message reached the inbox.
Authentication confirmed the email was authorized to use the sending domain. It said nothing about the intent of the redirect chain inside. Themis, the Adaptive AI engine, followed the behavioral signals that static analysis could not: a first-time SES sender injecting a high-urgency payment CTA into a fabricated forwarded thread, with a redirect chain that deliberately bounced through trusted Google domains before reaching its final destination.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender Domain | issot.awsapps[.]com | Amazon SES/WorkMail sending domain |
| Sender Auth | SPF=pass (amazonses[.]com), DKIM=pass | Full SES authentication |
| Redirect Hop 1 | meet.google[.]com/linkredirect | Google Meet redirect |
| Redirect Hop 2 | google[.]com/url | Google URL redirect service |
| Redirect Hop 3 | adservice.google.com[.]ph | Google Philippines ad service |
| Final Destination | mgokurumsal.com[.]tr | Turkish domain, no DMARC, unrelated to sender |
| Spoofed Thread | wellfinancial.co[.]uk | Legitimate UK financial services domain used in forwarded thread |
| Invoice Reference | Invoice #27652 | Fabricated invoice number in CTA panel |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Multi-hop redirect CTA delivered via email |
| User Execution: Malicious Link | T1204.001 | "Revise Now" button requires victim click to initiate redirect chain |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Injected CTA grafted onto legitimate financial services thread |