There is a particular audacity to a campaign that impersonates a security company to phish that security company's own employees. This one pulled it off with clean authentication, professional design, and a sending domain that had been operating legitimately for over a decade.
The lure arrived as "Shared Agreement File Ready for Review and Updates." The visual design cloned IRONSCALES branding, logos, colors, footer template built in Canva. The call-to-action button linked to benbrako[.]com/P. Three mailboxes at an IRONSCALES address received the message simultaneously. One was a high-value target. Themis scored it at 90% malice confidence and the platform automatically resolved it as phishing. The SOC confirmed the verdict.
None of that would have happened without behavioral AI watching the sending relationship. Every authentication header in this email was legitimate.
The sending domain was a long-established Brazilian professional association domain, registered in 2010 and consistently maintained, with a legitimate history in its industry. By every automated trust signal, this was not a suspicious sender. The registrar was reputable. The domain age was real. There was no known malicious history.
Attackers compromised this domain's Amazon SES credentials and used the SES relay to send phishing at scale. Amazon SES provides full SPF alignment (amazonses.com sending IP within the domain's SPF record), DKIM signing through the SES key registered to the domain, and the From address matched the sending domain, so DMARC passed in full. The receiving mail server saw a 15-year-old Brazilian professional domain sending through a legitimate major cloud email service. The spam confidence level was 5, not a hard block.
This is the compromised-legitimate-sender problem in its clearest form. The domain owner is a victim. Their credentials were stolen, their sending reputation was used as cover, and they have no visibility into the campaign running under their name. Attributing attacks to the apparent sending domain would defame an innocent organization.
The email body replicated IRONSCALES visual identity with enough fidelity to pass casual inspection. The Canva footer template is a known attacker resource: professional-looking branded footers that match the color scheme, logo placement, and unsubscribe formatting of legitimate transactional email. The subject line referenced a shared agreement file, a document-sharing lure that fits naturally with the kind of vendor communication that IRONSCALES would plausibly send.
Security vendor impersonation is effective specifically because of the trust relationship it exploits. Recipients at organizations that use, evaluate, or are familiar with a security platform have a pre-existing mental model: this company handles our email security, their communications should be safe to engage with. That mental model becomes the attack surface.
The CTA linked to benbrako[.]com/P. WHOIS shows benbrako[.]com was created in June 2014 and recently updated in May 2026, suggesting the domain was either newly acquired or its DNS was modified for campaign use. The /P path indicates a short redirect or direct phishing page. The domain has no public association with any legitimate business.
See Your Risk: Calculate how many threats your SEG is missing
Authentication passing is a floor, not a ceiling. Themis evaluating this email had three independent signals that pointed to malice regardless of the SPF/DKIM/DMARC result:
No prior sending relationship. The sending domain had never previously sent to the targeted IRONSCALES mailboxes. A document-sharing notification arriving cold, from a domain with zero prior communication history, is anomalous. Behavioral modeling surfaces this as a high-suspicion signal even when the authentication is clean.
CTA destination mismatch. The email claimed to be from an IRONSCALES context but linked to a domain (benbrako[.]com) with no relationship to IRONSCALES infrastructure. A human reviewing the email would need to hover over the button to catch this. Automated link-destination analysis flags it immediately.
Simultaneous multi-mailbox delivery. The campaign hit three mailboxes in the same organization at the same time. Single-target lures are spearphishing. Simultaneous multi-target delivery at volume is a campaign spray pattern. The combination of a new external sender, a document-sharing pretext, and simultaneous delivery is a behavioral signature that maps to known phishing campaign infrastructure.
The compromised-legitimate-sender problem is one of the hardest in email defense precisely because the sender is not lying about who they are. Their domain authentication is correct because they are that domain. The attack lives entirely in the relationship context and the link destination. For defenders, this is the scenario where credential harvesting protection that evaluates link destinations independently of sender reputation becomes essential.
Phishing protection that relies on sender reputation alone has no mechanism to catch this. Reputation-based systems rate the sending domain; a decade-old professional association domain with no prior malicious history rates clean. The detection has to come from somewhere else.
Effective detection at this layer requires three things working in combination. First, a mailbox model that knows which external domains have a prior sending relationship with each recipient. Second, real-time CTA destination evaluation at the time of delivery, not at registration time. Third, campaign-pattern detection that identifies simultaneous multi-target delivery from cold senders as an elevated-risk signal.
The IRONSCALES platform operates across all three. Themis combines behavioral modeling, link analysis, and multi-mailbox correlation in a single pass. The automatic quarantine of this campaign before any recipient clicked is the outcome of all three signals converging at 90% confidence.
MITRE ATT&CK T1566.002 covers spearphishing via link. This case adds a layer that the technique page cannot fully capture: the use of a legitimately-authenticated compromised sender as the delivery vehicle, removing the authentication detection layer entirely from the defender's toolkit. What remains is behavioral analysis, link destination verification, and pattern recognition at the campaign level.
According to the Verizon DBIR 2026, 62% of breaches involve the human element. When the lure is visually credible, sent from an authenticated domain, and references a plausible context, the human element is under maximum stress. Detection cannot rely on the human catching it.
---
| Type | Indicator | Context |
|---|---|---|
| Domain | benbrako[.]com | Attacker credential-harvest CTA domain |
| URL | hxxps://benbrako[.]com/P | Phishing page behind IRONSCALES brand lure |
| Sending service | Amazon SES | Used via compromised credentials on legitimate domain |
| Attack | What happened |
|---|---|
| The Procore Footer Was Real. The Document Was Not. | Every link scanner called the Procore and ExxonMobil URLs clean. |
| The Email That Passed Every Security Check (Because Adobe Sent It) | A phishing campaign targeting school district staff used Adobe's own sending infrastructure, real DKIM signatures. |
| When the Sender Domain Is Also the Phishing Kit Host: Dual-Purpose Domain Compromise | An attacker compromised a legitimate manufacturing company domain and used it two ways at once: as the authenticated sending address and as the host for... |
| The Subdomain That Fused Two Trusted Brands Into One Convincing Lie | Attackers fused two real brand names into a single subdomain, routed the message through Zix infrastructure to inherit enterprise authentication. |
| The SendGrid Email That Came From a Window Company | A pixel-perfect SendGrid notification arrived from a compromised window manufacturer's domain. |