TL;DR Attackers compromised a long-established Brazilian professional association domain to use as a legitimate sending platform via Amazon SES. They cloned IRONSCALES visual branding using a Canva footer template and set the call-to-action link to benbrako[.]com, an attacker-controlled domain. The email passed SPF, DKIM, and DMARC in full because the sending infrastructure was genuinely legitimate. The Canva-styled footer added visual credibility. The campaign hit three mailboxes at once, including a high-value IRONSCALES target, and was automatically resolved as phishing at 90% Themis confidence. This is the irony of brand impersonation at scale: security vendors are targeted precisely because their branding carries authority with security-aware recipients.
Severity: High Brand Impersonation Credential Theft MITRE: T1566.002
There is a particular audacity to a campaign that impersonates a security company to phish that security company's own employees. This one pulled it off with clean authentication, professional design, and a sending domain that had been operating legitimately for over a decade.
The lure arrived as "Shared Agreement File Ready for Review and Updates." The visual design cloned IRONSCALES branding, logos, colors, footer template built in Canva. The call-to-action button linked to benbrako[.]com/P. Three mailboxes at an IRONSCALES address received the message simultaneously. One was a high-value target. Themis scored it at 90% malice confidence and the platform automatically resolved it as phishing. The SOC confirmed the verdict.
None of that would have happened without behavioral AI watching the sending relationship. Every authentication header in this email was legitimate.
The Infrastructure: A Decade-Old Domain Used as a Phishing Relay
The sending domain was a long-established Brazilian professional association domain, registered in 2010 and consistently maintained, with a legitimate history in its industry. By every automated trust signal, this was not a suspicious sender. The registrar was reputable. The domain age was real. There was no known malicious history.
Attackers compromised this domain's Amazon SES credentials and used the SES relay to send phishing at scale. Amazon SES provides full SPF alignment (amazonses.com sending IP within the domain's SPF record), DKIM signing through the SES key registered to the domain, and the From address matched the sending domain, so DMARC passed in full. The receiving mail server saw a 15-year-old Brazilian professional domain sending through a legitimate major cloud email service. The spam confidence level was 5, not a hard block.
This is the compromised-legitimate-sender problem in its clearest form. The domain owner is a victim. Their credentials were stolen, their sending reputation was used as cover, and they have no visibility into the campaign running under their name. Attributing attacks to the apparent sending domain would defame an innocent organization.
IRONSCALES Branding as the Lure: Why Security Vendor Impersonation Works
The email body replicated IRONSCALES visual identity with enough fidelity to pass casual inspection. The Canva footer template is a known attacker resource: professional-looking branded footers that match the color scheme, logo placement, and unsubscribe formatting of legitimate transactional email. The subject line referenced a shared agreement file, a document-sharing lure that fits naturally with the kind of vendor communication that IRONSCALES would plausibly send.
Security vendor impersonation is effective specifically because of the trust relationship it exploits. Recipients at organizations that use, evaluate, or are familiar with a security platform have a pre-existing mental model: this company handles our email security, their communications should be safe to engage with. That mental model becomes the attack surface.
The CTA linked to benbrako[.]com/P. WHOIS shows benbrako[.]com was created in June 2014 and recently updated in May 2026, suggesting the domain was either newly acquired or its DNS was modified for campaign use. The /P path indicates a short redirect or direct phishing page. The domain has no public association with any legitimate business.
See Your Risk: Calculate how many threats your SEG is missing
Three Signals That Overrode Perfect Authentication
Authentication passing is a floor, not a ceiling. Themis evaluating this email had three independent signals that pointed to malice regardless of the SPF/DKIM/DMARC result:
No prior sending relationship. The sending domain had never previously sent to the targeted IRONSCALES mailboxes. A document-sharing notification arriving cold, from a domain with zero prior communication history, is anomalous. Behavioral modeling surfaces this as a high-suspicion signal even when the authentication is clean.
CTA destination mismatch. The email claimed to be from an IRONSCALES context but linked to a domain (benbrako[.]com) with no relationship to IRONSCALES infrastructure. A human reviewing the email would need to hover over the button to catch this. Automated link-destination analysis flags it immediately.
Simultaneous multi-mailbox delivery. The campaign hit three mailboxes in the same organization at the same time. Single-target lures are spearphishing. Simultaneous multi-target delivery at volume is a campaign spray pattern. The combination of a new external sender, a document-sharing pretext, and simultaneous delivery is a behavioral signature that maps to known phishing campaign infrastructure.
What Defenders Can Do with Compromised-Sender Attacks
The compromised-legitimate-sender problem is one of the hardest in email defense precisely because the sender is not lying about who they are. Their domain authentication is correct because they are that domain. The attack lives entirely in the relationship context and the link destination. For defenders, this is the scenario where credential harvesting protection that evaluates link destinations independently of sender reputation becomes essential.
Phishing protection that relies on sender reputation alone has no mechanism to catch this. Reputation-based systems rate the sending domain; a decade-old professional association domain with no prior malicious history rates clean. The detection has to come from somewhere else.
Effective detection at this layer requires three things working in combination. First, a mailbox model that knows which external domains have a prior sending relationship with each recipient. Second, real-time CTA destination evaluation at the time of delivery, not at registration time. Third, campaign-pattern detection that identifies simultaneous multi-target delivery from cold senders as an elevated-risk signal.
The IRONSCALES platform operates across all three. Themis combines behavioral modeling, link analysis, and multi-mailbox correlation in a single pass. The automatic quarantine of this campaign before any recipient clicked is the outcome of all three signals converging at 90% confidence.
MITRE ATT&CK T1566.002 covers spearphishing via link. This case adds a layer that the technique page cannot fully capture: the use of a legitimately-authenticated compromised sender as the delivery vehicle, removing the authentication detection layer entirely from the defender's toolkit. What remains is behavioral analysis, link destination verification, and pattern recognition at the campaign level.
According to the Verizon DBIR 2026, 62% of breaches involve the human element. When the lure is visually credible, sent from an authenticated domain, and references a plausible context, the human element is under maximum stress. Detection cannot rely on the human catching it.
---
IOCs: benbrako[.]com Brand-Impersonation Campaign Indicators
| Type | Indicator | Context |
|---|
| Domain | benbrako[.]com | Attacker credential-harvest CTA domain |
| URL | hxxps://benbrako[.]com/P | Phishing page behind IRONSCALES brand lure |
| Sending service | Amazon SES | Used via compromised credentials on legitimate domain |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
