An employee at a healthcare services company received what looked like a legitimate debt collection notice from a well-known billing agency. The subject line referenced a specific healthcare provider and included an account number. The email passed SPF, DKIM, and DMARC. Microsoft's composite authentication scored it at 100. The sending infrastructure was a real third-party mailing platform. And the billing statement itself was rendered as a single image, making every line of account detail, every dollar amount, and every payment instruction completely invisible to text-based security scanners.
The only reason this email got flagged: IRONSCALES had never seen this sender contact the organization before, and community intelligence across 1,921 organizations recognized the pattern.
The attack used a three-domain delivery chain that made source attribution deliberately difficult.
The email arrived from noreply@frostarnett[.]net, a domain impersonating a real debt collection agency. The message was injected through SendGrid infrastructure (geopod-ismtpd-8) and relayed via o12[.]enotice[.]revspringinc[.]com (IP 167[.]89[.]100[.]33), a subdomain associated with a legitimate healthcare communications platform. From there, Microsoft Exchange Online Protection accepted delivery.
Each domain in the chain serves a different function:
| Domain | Role | Registration |
|---|---|---|
| frostarnett[.]net | Sender identity (impersonated brand) | 2017, Network Solutions |
| revspringinc[.]com | Mailing relay infrastructure | 2012, GoDaddy |
| facpayments[.]com | Payment portal destination | 2007, Network Solutions |
All three domains have legitimate registrations dating back years. None would trigger age-based or reputation-based blocking. The attacker either compromised these domains' sending infrastructure or registered lookalikes that pass casual inspection. The long registration histories make both scenarios plausible and neither is easily distinguishable at the gateway level.
The Microsoft Digital Defense Report 2024 highlighted the growing use of legitimate mailing infrastructure to bypass reputation-based defenses, noting that attackers increasingly route phishing through established ESPs and third-party relay services.
The email's authentication headers tell a story that every legacy gateway would interpret as trustworthy:
Every check passed. The email reached the inbox with no warnings, no quarantine, no banner beyond the standard external-sender notice.
But one detail undermines the entire authentication posture: the DMARC policy for frostarnett[.]net is p=none. That means even if authentication had failed, the receiving server was instructed to deliver the message anyway and simply report the failure. A DMARC policy of p=none provides monitoring data to the domain owner but zero protection to the recipient. According to the FBI IC3 2024 Internet Crime Report, BEC and phishing campaigns caused $2.77 billion in losses, with brand impersonation through weakly configured authentication domains remaining a primary vector.
The anti-spam headers tell a more nuanced story than the authentication summary suggests. Microsoft's Forefront filter tagged the message with SFTY:9.25, a safety classification flag associated with financial impersonation. Despite this signal, the message was delivered to the inbox with SCL 1.
See Your Risk: Calculate how many threats your SEG is missing
The email body contained minimal HTML: a debt-collector disclosure notice, a line about internet connection speed, and an embedded statement image. The statement itself was the attack surface.
Rendered as a single image, the billing statement displayed:
None of this content existed as parseable text in the email body or HTML source. Every detail lived in the pixel grid of the rendered image. DLP rules scanning for account numbers, dollar amounts, or healthcare provider names found nothing. Content filters checking for social engineering language found nothing. The Verizon 2024 Data Breach Investigations Report documented that 68% of breaches involved a human element. This attack was engineered so that only a human could process its payload.
The statement image also contained a QR code in the upper-left quadrant. QR codes embedded in images represent a compounding evasion layer: not only must the scanner perform OCR on the image, but it must then decode the QR payload to discover the encoded URL. Most gateway scanners perform neither operation on inline images.
Every clickable element in the email routed through SendGrid tracking infrastructure at u23308835[.]ct[.]sendgrid[.]net. The primary call-to-action resolved through a SendGrid click tracker to facpayments[.]com, the Frost-Arnett payment portal.
URL scanners evaluating the email at delivery time saw sendgrid[.]net domains. SendGrid is a widely trusted ESP used by millions of legitimate senders. The CISA phishing guidance warns that attackers exploit trusted platforms and services to bypass URL reputation checks. In this case, the true destination was hidden behind the redirect until a recipient actually clicked.
The Return-Path header exposed an additional detail: it contained a VERP-encoded string (bounces+23308835-8cd9-[recipient]=[recipient-domain][.]com@em5664[.]frostarnett[.]net) that embedded the recipient's full email address in the bounce path. This is standard for SendGrid delivery tracking, but it also confirms the message was individually targeted rather than blindly sprayed.
| Technique | ID | Application |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | SendGrid-wrapped links to payment portal |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Impersonation of debt collection brand and healthcare provider |
| Phishing for Information: Spearphishing Link | T1598.003 | Payment portal designed to collect financial information |
| Indicator | Type | Context |
|---|---|---|
| noreply@frostarnett[.]net | Sender address (impersonated brand) | |
| em5664[.]frostarnett[.]net | Domain | SPF envelope domain |
| 167[.]89[.]100[.]33 | IP | Sending IP (SendGrid infrastructure) |
| o12[.]enotice[.]revspringinc[.]com | Hostname | Mailing relay |
| u23308835[.]ct[.]sendgrid[.]net | Domain | Click tracking redirector |
| hxxps://www[.]facpayments[.]com/ | URL | Payment portal destination |
| geopod-ismtpd-8 | Hostname | SendGrid injection point |
This email defeated every content-based and authentication-based defense in the delivery path. SPF, DKIM, and DMARC passed. The sending IP had legitimate ESP reputation. The domains were years old. The statement content was invisible to text scanners. The links pointed to trusted redirect infrastructure.
IRONSCALES Adaptive AI flagged the message at 50% confidence through two signals that no content scanner evaluates:
The IBM Cost of a Data Breach Report 2024 found that healthcare remains the most expensive industry for data breaches at $9.77 million per incident. Healthcare billing impersonation attacks like this one exploit the industry's high volume of legitimate financial communications. When every employee processes dozens of real billing notices per week, the attacker's job is to make one more look exactly like the rest.
Organizations that depend on authentication signals and URL reputation to stop healthcare email threats are structurally blind to attacks that pass every technical check and deliver their payload as an image. The defense must be behavioral: who is this sender, have they contacted us before, and does the community recognize this pattern?