TL;DR An email posing as an HPI 'document awaiting review' notification was sent from info[@]globalacademy[.]live via Amazon SES with SPF, DKIM, and DMARC all passing for that domain. The primary CTA button routed through mandrillapp[.]com/track/click then link[.]edgepilot[.]com to an attacker-controlled harvest page at secure[.]mimercadeo[.]com[.]mx. Visible links in the body pointed to legitimate HPI URLs, masking the redirect destination. The lure referenced a document titled 'Confidential_Agreement_2026.pdf' shown in the message body. Targeted at a property-management firm.
Severity: High Credential Harvesting Brand Impersonation MITRE: T1566 MITRE: T1598
# HPI Brand Impersonation Uses Authenticated-but-Unrelated Amazon SES Sender and Three-Hop Redirect Chain
A phishing campaign targeting a property-management firm impersonated HPI, the UK's vehicle-history-check service, using a professionally crafted "document pending review" lure. The sender domain had nothing to do with HPI, but it was fully authenticated through Amazon SES, clearing every gateway authentication check. The credential-harvesting destination was concealed behind a two-hop redirect chain that began with a Mandrill tracking URL and terminated at an off-brand landing page in Mexico.
What the Attack Looked Like
The From address was info[@]globalacademy[.]live, an unrelated domain with no visible connection to HPI. Amazon SES served as the delivery infrastructure: SPF, DKIM, and DMARC all passed for globalacademy[.]live. The message arrived through Office 365 mail protection frontends with composite authentication passing.
The email body was designed to appear as an HPI notification. It displayed the document name "Confidential_Agreement_2026.pdf" with a status of "PENDING REVIEW" and an issue date of 24 February 2026. The footer carried accurate HPI company registration details (Registered in England and Wales, No. 4068979) and legitimate HPI social media handles, all pointing to real HPI web properties. A fallback link visible in the HTML pointed to my[.]hpi[.]co[.]uk, a genuine HPI account URL.
The deception was in the CTA button. The "REVIEW DOCUMENT" button was a Mandrill tracking URL encoding a redirect through link[.]edgepilot[.]com to the final destination: secure[.]mimercadeo[.]com[.]mx. The displayed URL and the click destination were completely different. The message body directed the eye to legitimate HPI domains while the active click path led elsewhere.
Why It Bypassed Defenses
Three factors combined to evade standard gateway controls.
First, authentication was clean. SPF, DKIM, and DMARC passing for the sending domain means no authentication-based block or quarantine signal was generated. The domain globalacademy[.]live is a real, registered domain sending through legitimate infrastructure. Authentication success for that domain is genuine; it simply doesn't validate any claim about HPI. This is the core limitation of authentication-based filtering: it verifies origin, not impersonation.
Second, the redirect chain laundered the destination URL's reputation. The first hop was a Mandrill track/click URL, a well-known email marketing domain with a clean reputation. The second hop was link[.]edgepilot[.]com, another link-management service with an established reputation. URL-reputation scanners that evaluate only the first hop, or that do not follow the full redirect chain to resolution, would score this as clean. The malicious landing page at secure[.]mimercadeo[.]com[.]mx was not exposed until the user clicked through both intermediaries.
Third, the body content was high-fidelity impersonation. Correct company registration numbers, real logos, real social links, and a plausible document-pending-review workflow are exactly the elements that increase click-through and suppress user suspicion.
See Your Risk: Calculate how many threats your SEG is missing
How It Was Caught
The IRONSCALES platform flagged the mismatch between the displayed link targets (legitimate HPI domains) and the actual click destination encoded in the Mandrill tracking URL. Behavioral analysis identified the sender domain as unrelated to the impersonated brand. Full redirect-chain resolution exposed secure[.]mimercadeo[.]com[.]mx as the terminal destination, which matched patterns associated with tracked redirect abuse campaigns.
The combination of authenticated-but-unrelated sender, multi-hop redirect chain, and brand-display/click-destination mismatch produced a high-confidence credential harvesting classification despite the passing authentication results.
Defender Takeaway
This attack illustrates a core truth about authentication-based defenses: a DMARC pass is not a trust signal for brand identity. It only confirms that the sending domain authorized the message.
Deploy full redirect-chain resolution at the gateway, not just first-hop URL checking. Mandrill and EdgePilot are legitimate services that appear frequently in redirect abuse; their presence in a click path should trigger deeper inspection, not clearance.
Train detection models to flag brand-display/click-destination mismatches. When a message renders one set of legitimate URLs visually while embedding different URLs in CTA buttons, that structural pattern is a strong indicator regardless of authentication status.
Monitor Amazon SES for abuse-originating traffic. SES provides legitimate bulk-mail infrastructure, but attackers use it specifically because it produces clean authentication results. High-fidelity impersonation emails from SES warrant domain-identity checks, not just authentication checks.
Indicators of Compromise
| Type | Indicator | Notes |
|---|
| Sender domain | globalacademy[.]live | Authenticated via Amazon SES; unrelated to HPI; used as phishing origin |
| Sending IP | 54[.]240[.]3[.]23 | Amazon SES eu-west-1 outbound; SPF pass for globalacademy[.]live |
| Redirect hop 1 | mandrillapp[.]com/track/click/... | Mandrill tracking URL encoding redirect to EdgePilot |
| Redirect hop 2 | link[.]edgepilot[.]com/s/73d1da72/... | EdgePilot intermediary; redirects to harvest page |
| Harvest page | secure[.]mimercadeo[.]com[.]mx | Terminal attacker-controlled landing page |
| Lure document | Confidential_Agreement_2026.pdf | Document name displayed in message body as social-engineering lure |
| Impersonated brand | HPI (UK vehicle-history-check service) | Correct company registration details used in footer |
| Authentication | SPF=pass, DKIM=pass, DMARC=pass | Valid only for globalacademy[.]live, not for HPI |
| MITRE | T1566 | Phishing |
| MITRE | T1598 | Phishing for Information |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
