The Invoice That Originated from the Wrong Continent

Everything about this invoice looked right except for one header that most recipients never see.

A message from a construction consulting firm's domain arrived at a forensic engineering consultancy with the subject line referencing a settlement update for a specific invoice number. SPF passed. DMARC returned bestguesspass. The sender's name matched a real employee at the claimed company, confirmed by public LinkedIn and corporate directory records. The domain had been registered since 2019 and used Cloudflare nameservers with Microsoft-hosted Exchange infrastructure.

A Fabricated Thread with Real Names

The email body constructed a three-message reply chain. A managing director at the target organization had supposedly instructed a colleague to route the payment to a specific accounts payable contact. That colleague then forwarded the thread to the actual recipient with a request to "complete the payment by today's close of business." The exchange included proper business formatting, a W-9 reference, and the kind of procedural language ("please refer to the email thread below for complete context") that makes invoice fraud requests blend into normal financial workflows.

The attached PDF contained a full invoice with line items, a payment amount, and banking details at a major US financial institution, including a routing number and account number. The PDF passed static analysis as clean.

The IP That Didn't Match the Geography

The only signal that broke the pattern was buried in the headers. The x-originating-ip field recorded 45[.]67[.]97[.]6, which geolocated to Seoul, South Korea, with no PTR record. The sending domain belonged to an Albuquerque-based firm. A legitimate employee submitting email through their corporate Exchange server would originate from a US IP address with proper reverse DNS, not an anonymous Korean IP.

This header is not visible in any standard mail client. It requires header inspection to find. SPF, DKIM, and DMARC cannot surface this anomaly because they validate the sending server, not the client behind it. The message scored SCL=1, low enough to land in the inbox by default. Themis flagged the behavioral pattern, identifying a first-time sender with a same-day payment demand targeting a VIP recipient, and triggered inline mitigation before the recipient could act.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping