The email announced a 2026 Employee Benefits Handbook and asked the team to review it immediately. The display name read "Human Resources." The mailbox appeared to match the recipient organization's own HR alias. Everything about the message looked internal, right up until the footer: "Sent by MailerLite."
That one line is the entire case in miniature. An attacker registered a homoglyph domain, routed an HR benefits announcement through a marketing email platform, and targeted a finance team employee at a mid-size banking institution. The technical sophistication was modest. The social engineering was precise.
The sender address was tjones@cr0wnpack[.]com. The legitimate domain uses the letter O. The attacker registered a variant with a zero. At normal reading speed, cr0wnpack and crownpack are indistinguishable, especially when the display name says "Human Resources" and the mailbox alias mimics an internal HR contact.
This is a homoglyph registration, one of the oldest tricks in the domain abuse playbook. It works because human eyes process familiar letter patterns as shapes, not individual characters. Security tools that rely on exact domain matching catch known-bad domains but miss near-identical variants unless they are specifically configured for fuzzy matching or visual similarity detection.
The display name layering doubled the deception. Even if the recipient noticed the sender domain, the display name "Human Resources" and the spoofed mailbox alias referencing the institution's own domain created a strong visual signal of internal origin. According to the 2026 Verizon Data Breach Investigations Report, 62% of breaches involve the human element. This attack was designed to exploit exactly that: a quick glance from a busy professional who trusts messages from HR.
Every link in the email routed through bodvarp[.]clicks[.]mlsend[.]com, a MailerLite click-tracking subdomain. The email body included assets hosted on MailerLite CDN infrastructure. A hidden 1x1 tracking pixel provided the attacker with open-rate telemetry, confirming which recipients viewed the message and when.
This is ESP abuse, a growing pattern where attackers leverage legitimate marketing platforms to deliver phishing. The attacker gets authenticated delivery infrastructure, campaign-level tracking, and clean domain reputation, all for the cost of a MailerLite account. Messages sent through the platform pass SPF and DKIM validation because the ESP's infrastructure is authorized to send on behalf of configured domains.
For secure email gateways (SEGs), this creates a classification problem. The sending infrastructure is legitimate. The tracking links resolve to known marketing domains. The reputation signals all indicate bulk marketing mail, not phishing. The gap between "this is a real marketing platform" and "this is a phishing email sent through a real marketing platform" is one that static reputation checks cannot close.
See Your Risk: Calculate how many threats your SEG is missing
Microsoft SafeLinks was active on the recipient's environment. It rewrote the MailerLite tracking URLs, meaning every click would pass through Microsoft's URL reputation check at click time. The problem: MailerLite's mlsend[.]com tracking domain carries clean reputation. SafeLinks wrapped the URLs and let them through.
This is not a SafeLinks failure. URL rewriting checks reputation at the time of the click, and the intermediary domain (MailerLite) is a legitimate service. SafeLinks cannot determine that the destination behind the MailerLite redirect is attacker-controlled without following the full redirect chain and evaluating the final landing page. When the intermediary is a trusted ESP, that final evaluation often does not flag anything because the redirect itself resolves to a known marketing platform.
The greeting was generic: "Hi Team." The content described an employee benefits handbook. The target was an finance team employee.
That combination should raise questions. Benefits announcements typically come from HR to all employees, not targeted to individual finance team members. An finance team employee has no operational reason to receive a dedicated benefits review notification. But the attacker bet (correctly) that the authority of "Human Resources" would override the contextual oddity. People comply with HR messages. They do not typically stop to ask whether an HR benefits email should be landing in their inbox specifically.
Themis, the IRONSCALES Adaptive AI, flagged the behavioral mismatch. The detection was not driven by the homoglyph domain alone but by the combination of signals: external marketing-platform infrastructure delivering what claimed to be an internal HR announcement, a first-time sender domain with no prior communication history, and a tracking pixel consistent with campaign-level surveillance rather than routine HR correspondence. The message was quarantined before the recipient could click through to the attacker's benefits review page.
Scroll past the benefits announcement. Past the CTA button. Past the branding. At the bottom of every MailerLite-delivered message sits a compliance footer: "Sent by MailerLite." Legitimate HR communications from a banking institution do not route through third-party marketing ESPs. That footer is the clearest signal in the entire email, and it sits where almost nobody reads.
Training users to check email footers is a practical, low-cost recommendation that this case reinforces. The CISA phishing guidance emphasizes verifying sender identity before acting on requests, but the footer check is the specific, actionable version of that advice for ESP-routed impersonation attacks.
| Step | Action | MITRE Technique |
|---|---|---|
| Domain registration | Attacker registers cr0wnpack[.]com (homoglyph of legitimate brand) | T1583.001: Acquire Infrastructure: Domains |
| ESP setup | Attacker creates MailerLite account for authenticated delivery | T1583.006: Acquire Infrastructure: Web Services |
| Identity spoofing | Display name set to "Human Resources," mailbox mimics internal HR alias | T1036.005: Masquerading: Match Legitimate Name or Location |
| Delivery and lure | Benefits handbook CTA routes through MailerLite click tracking | T1566.002: Phishing: Spearphishing Link |
| Type | Indicator | Context |
|---|---|---|
| Sender Email | tjones@cr0wnpack[.]com | Homoglyph domain (zero replacing letter O) |
| Click-Tracking Domain | bodvarp[.]clicks[.]mlsend[.]com | MailerLite click-tracking subdomain |
| Asset Hosting | mlcdn[.]com | MailerLite CDN (image and asset hosting) |
| Tracking Pixel | 1x1 hidden pixel via MailerLite | Open-rate surveillance |
| Display Name | "Human Resources" | Spoofed internal HR identity |
| Spoofed Mailbox | HR alias mimicking recipient organization domain | Internal identity impersonation |
| ESP Footer | "Sent by MailerLite" | Marketing platform compliance footer |