The Invoice That Originated from the Wrong Continent

Written by Audian Paxson | Jun 16, 2026 11:00:00 AM

TL;DR A same-day payment request arrived from a legitimate construction consulting domain via hosted Exchange infrastructure. SPF passed and DMARC returned bestguesspass. The email body constructed a fabricated three-party thread in which a colleague named in the thread directed the payment to the recipient. The attached PDF invoice included full bank routing and account numbers at a major US financial institution. The single anomaly that distinguished this from a real invoice was the x-originating-ip header: the message was submitted from an IP address geolocated to Seoul, South Korea, with no PTR record, inconsistent with an Albuquerque-based construction firm. Themis flagged the message at 62% confidence with a VIP Recipient label.

Severity: High Invoice Fraud Bec Payment Diversion MITRE: {'id': 'T1566.001', 'name': 'Phishing: Spearphishing Attachment'} MITRE: {'id': 'T1534', 'name': 'Internal Spearphishing'} MITRE: {'id': 'T1036.005', 'name': 'Masquerading: Match Legitimate Name or Location'}

Everything about this invoice looked right except for one header that most recipients never see.

A message from a construction consulting firm's domain arrived at a forensic engineering consultancy with the subject line referencing a settlement update for a specific invoice number. SPF passed. DMARC returned bestguesspass. The sender's name matched a real employee at the claimed company, confirmed by public LinkedIn and corporate directory records. The domain had been registered since 2019 and used Cloudflare nameservers with Microsoft-hosted Exchange infrastructure.

A Fabricated Thread with Real Names

The email body constructed a three-message reply chain. A managing director at the target organization had supposedly instructed a colleague to route the payment to a specific accounts payable contact. That colleague then forwarded the thread to the actual recipient with a request to "complete the payment by today's close of business." The exchange included proper business formatting, a W-9 reference, and the kind of procedural language ("please refer to the email thread below for complete context") that makes invoice fraud requests blend into normal financial workflows.

The attached PDF contained a full invoice with line items, a payment amount, and banking details at a major US financial institution, including a routing number and account number. The PDF passed static analysis as clean.

The IP That Didn't Match the Geography

The only signal that broke the pattern was buried in the headers. The x-originating-ip field recorded 45[.]67[.]97[.]6, which geolocated to Seoul, South Korea, with no PTR record. The sending domain belonged to an Albuquerque-based firm. A legitimate employee submitting email through their corporate Exchange server would originate from a US IP address with proper reverse DNS, not an anonymous Korean IP.

This header is not visible in any standard mail client. It requires header inspection to find. SPF, DKIM, and DMARC cannot surface this anomaly because they validate the sending server, not the client behind it. The message scored SCL=1, low enough to land in the inbox by default. Themis flagged the behavioral pattern, identifying a first-time sender with a same-day payment demand targeting a VIP recipient, and triggered inline mitigation before the recipient could act.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

Type	Indicator	Context
Sending Domain	`adacen[.]com`	Registered 2019-11-09, GoDaddy, Cloudflare NS
x-originating-ip	`45[.]67[.]97[.]6`	Seoul, South Korea; no PTR record
Sending Server	`out[.]exch092[.]serverdata[.]net` (64[.]78[.]27[.]158)	Hosted Exchange, US-based
Auth Results	SPF: pass, DKIM: none, DMARC: bestguesspass	compauth=pass reason=109
SCL	1	Low confidence, inbox delivery by default
Attachment	`Inv_33119277.pdf`	400KB, bank routing/account numbers
Payment Target	Wells Fargo routing `121000248`, account `5479471608`	Attacker-controlled payment destination

MITRE ATT&CK Mapping

Technique	ID	Relevance
Phishing: Spearphishing Attachment	T1566.001	PDF invoice with banking details
Internal Spearphishing	T1534	Fabricated internal thread to establish context
Masquerading: Match Legitimate Name or Location	T1036.005	Real employee names used in fabricated thread

Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.

Related attacks

Attack	What happened
The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion	A Gmail-authenticated BEC used a typosquat Reply-To domain and a hidden HTML mailto mismatch to impersonate a steel distributor's credit manager.
The $47,320 Invoice That Came With a W-9 and a Personal Bank Account	A payment diversion attack bundled a $47,320 invoice with ACH/wire remittance instructions pointing to a personal bank account.
The W-9 Was Real, the Company Was Fiction, and the Bank Account Was Waiting	A two-week-old domain sent a $15,247.75 invoice with a completed W-9, full bank routing details, and AP coding.
The LinkedIn Invoice That Passed Every Email Check	A recently registered LinkedIn lookalike domain passed SPF, DKIM, and DMARC, then sent a one-line invoice probe to an accounts payable mailbox.
Three Domains, One Invoice: The Payment Diversion That Authenticated Itself Through the Wrong Organization	A past due invoice email passed SPF, DKIM, and DMARC while impersonating a contact at a clinical research firm.

View full post