The Law Firm Name That Looked Right Until You Zoomed In

The display name read "Alston & Bird LLP." The email came from Google. SPF passed. DKIM passed. DMARC passed. Every automated check said this was legitimate. But buried inside that display name were Unicode characters that no human would notice at normal zoom, and the Reply-To header pointed to a domain that had existed for less than two hours.

This attack didn't try to defeat email authentication. It made authentication irrelevant by riding on Google's own infrastructure, then planted the real trap in the one header most security tools ignore.

A Trusted Name, One Character at a Time

The attacker impersonated Alston & Bird LLP, an Am Law 50 firm with more than 800 attorneys. For any recipient in a corporate legal, finance, or compliance role, a notification from this firm wouldn't raise eyebrows. It would get opened.

But the display name wasn't actually "Alston & Bird LLP." It was constructed with homoglyph characters, Unicode code points that render identically (or nearly so) to standard Latin letters. The Cyrillic "о" replaced the Latin "o." The small capital "ʟ" and "ᴘ" replaced standard "L" and "P." A decorative Unicode symbol (֍) was appended after "LLP." At a glance, in any standard email client, the name looked exactly right. It wasn't.

This technique defeats any security filter that relies on exact string matching against a blocklist of impersonated brands. The character sequences are technically different, so the display name passes right through. According to the Microsoft Digital Defense Report 2024, impersonation remains one of the most effective social engineering vectors precisely because attackers keep finding new ways to make names look right while being technically wrong.

Why Every Authentication Check Said "Pass"

The email was a genuine Google Drive sharing notification. The attacker created a Google account, uploaded a file to Drive, and shared it with 24 recipients across multiple organizations. Google's infrastructure did the rest.

The sending domain was google.com. The Return-Path was doclist.bounces.google.com. The DKIM signature verified against Google's published keys. SPF, DKIM, and DMARC all returned pass. Microsoft's composite authentication check (compauth) also returned pass with a score of 100.

This is the fundamental limitation of email authentication. These protocols verify that the sending infrastructure is authorized to send on behalf of the envelope domain. They say nothing about whether the display name is honest, whether the Reply-To header is trustworthy, or whether the content is malicious. When an attacker uses a legitimate cloud service as the delivery mechanism, authentication becomes a stamp of approval for the transport layer only.

The Verizon 2024 Data Breach Investigations Report found that 36% of all breaches involved phishing, and the attacks that succeed most consistently are the ones that co-opt trusted infrastructure rather than trying to forge it.

The Same-Day Domain That Gave It Away

The subject line read: "Item shared with you: Our Counsel Notifies -> Arrears Identified." Legal urgency. Financial pressure. A single blue "Open" button pointing to a Google Drive file. Classic social engineering wrapped in a pixel-perfect Google notification template.

But the real payload wasn't the Drive link. It was the Reply-To header:

nannestplicag2001@login[.]cloudsecurityaccess[.]com

WHOIS records show cloudsecurityaccess[.]com was registered on March 26, 2026, the same day these emails were sent. The registrar was Hosting Concepts B.V. (Registrar.eu), with WHOIS privacy enabled through Dynadot. The domain used Cloudflare nameservers (clyde.ns.cloudflare[.]com, lina.ns.cloudflare[.]com). DNS lookups for login[.]cloudsecurityaccess[.]com returned no A record, no MX record, and no published DMARC or DKIM selectors. DNSSEC was unsigned.

A domain with no email authentication records, registered hours before the campaign launched, hiding behind privacy services and Cloudflare proxying. This is textbook attacker infrastructure (T1584.001).

Any recipient who replied to the email would send their response directly to the attacker. From there, the conversation could be steered toward wire transfers, credential pages, or document downloads controlled entirely by the threat actor.

The Google Drive File: Clean by Every Scanner

The shared file (Google Drive file ID: 1vJXNRbsMs_CpPUW_KP6jeESF_qzeYmrt) was labeled "Our Counsel Notifies -> Arrears Identified" with a PDF icon. Link scanners rated the drive[.]google[.]com URL as clean, because it is. Google Drive is a legitimate hosting platform. The URL resolves to a real Google endpoint with valid TLS.

This is exactly why cloud-hosted payloads are so effective. According to CISA guidance on phishing, attackers increasingly leverage trusted cloud services to host malicious content because URL reputation systems inherently trust these domains. The scanner sees drive.google.com and returns a clean verdict. It cannot evaluate whether the file behind that link contains a credential harvesting form or a weaponized document.

See Your Risk: Calculate how many threats your SEG is missing

Where Authentication Ends and Behavioral AI Begins

Across the IRONSCALES platform, Themis flagged this campaign based on signals that sit outside the authentication layer entirely. The Adaptive AI detected a pattern of anomalies: a display name containing non-standard Unicode characters inconsistent with the claimed brand, a Reply-To domain with zero historical sending reputation, a newly registered domain in email headers, and a mass CC distribution to 24 recipients across unrelated organizations. None of those signals require decoding the DKIM signature. They require understanding what normal looks like and recognizing when something deviates from it.

Three affected mailboxes were quarantined within seconds of delivery. The FBI IC3 2024 Internet Crime Report documented over $2.9 billion in BEC and impersonation losses. Every one of those losses started with an email that looked right.

Indicators of Compromise

MITRE ATT&CK Mapping

What Security Teams Should Take From This

Inspect display names at the character level. Homoglyph detection requires Unicode analysis, not just string comparison. If your email security relies on exact-match brand protection lists, attacks like this will bypass them every time.

Treat Reply-To mismatches as high-confidence signals. When the From domain is google.com but the Reply-To points to a domain registered hours ago with no email authentication records, that gap tells you more than any authentication result.

Don't trust link scanner verdicts on cloud-hosted URLs. A "clean" verdict on drive.google.com means the domain is legitimate, not the content. Cloud-hosted payloads require content-level inspection, not just domain reputation.

Monitor for same-day domain registrations in email headers. Newly registered domains appearing in Reply-To, Return-Path, or body URLs are among the strongest indicators of a phishing campaign in its opening hours. Automated WHOIS age checks on header domains catch what authentication cannot.