The email claimed a "Shared Agreement File" was ready for review and updates. It used IRONSCALES logos and branding. It referenced a specific file, Ironscales_Agreement_Update.xlsx. There was no attachment. The "Open" button linked to benbrako[.]com, a domain with no connection to IRONSCALES or any agreement management platform. The target was the CEO of a cybersecurity company.
The sender was contato@assba[.]com[.]br, a Brazilian domain registered since 2010. The message was sent through Amazon SES (54[.]240[.]4[.]2), and SPF and DKIM both passed. DMARC returned a best-guess pass. The sending infrastructure was legitimate. The content was not.
Referencing a specific filename without attaching it is a deliberate design choice. The text Ironscales_Agreement_Update.xlsx creates the expectation that a file exists somewhere, and the CTA ("Open") is positioned as the way to access it. Because no file is attached, attachment scanners have nothing to inspect. The entire attack surface collapses to a single link.
This is the equivalent of a locked door with a sign that says "key inside." The recipient clicks the link expecting to retrieve a document. What they get is whatever the attacker has staged at the destination. The filename itself, formatted to look like a business document with an organization name and file extension, reinforces the pretext without requiring any actual infrastructure behind it.
The CTA pointed to benbrako[.]com, a domain unrelated to IRONSCALES, agreement management, or file sharing. For an executive accustomed to receiving legitimate document-sharing notifications from platforms like DocuSign or SharePoint, the URL alone should break the impersonation. But clicking happens faster than reading, and the IRONSCALES branding creates enough visual trust to carry the recipient past the URL.
See Your Risk: Calculate how many threats your SEG is missing
The email footer contained links to l[.]engage[.]canva[.]com and canva[.]com, artifacts from Canva's template export system. The attacker used Canva's design tools to assemble the phishing email (importing IRONSCALES brand assets, laying out the message body, formatting the CTA button) and either did not notice or did not bother to strip the template metadata before sending.
This is a recurring pattern in credential harvesting campaigns: free design tools lower the barrier to creating convincing brand impersonation, but the tooling leaves traces. Canva footer links in an email from a Brazilian domain claiming to be IRONSCALES is a mismatch that automated analysis can flag, even when the visual appearance of the email is polished.
The target was the CEO of a cybersecurity company, someone who would plausibly receive agreement updates from a security vendor. The irony of impersonating the security product that protects the target's organization is either deliberate (leveraging the target's existing trust relationship with the vendor) or coincidental (the attacker pulled IRONSCALES branding from a template library without knowing the target's vendor stack). Either way, the message was quarantined at SCL:5 before it reached the inbox.
| Type | Indicator | Context |
|---|---|---|
| Sender | contato@assba[.]com[.]br | Brazilian domain, registered since 2010 |
| Sending IP | 54[.]240[.]4[.]2 | Amazon SES infrastructure |
| CTA Destination | benbrako[.]com | Unrelated domain linked from "Open" button |
| Referenced File | Ironscales_Agreement_Update.xlsx | Phantom attachment, not present in email |
| Template Artifacts | l[.]engage[.]canva[.]com, canva[.]com | Canva design platform footer links |
| Display Name | "SecureReviewTeam" | Fabricated sender identity |
| Technique | ID | Context |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | "Open" CTA linking to unrelated domain under brand impersonation pretext |
| Establish Accounts: Web Services | T1583.006 | Amazon SES account and Canva design platform used for email assembly and delivery |
| Masquerading: Match Legitimate Name or Location | T1036.005 | IRONSCALES brand assets, logos, and agreement filename used to impersonate vendor |
| Attack | What happened |
|---|---|
| The Aeroplan Bonus That Came From a Consumer ISP in Melbourne and Landed on a Staging Platform | A spoofed Air Canada Aeroplan email failed SPF, had no DKIM, and was sent from a consumer ISP in Melbourne. |
| The Subdomain That Fused Two Trusted Brands Into One Convincing Lie | Attackers fused two real brand names into a single subdomain, routed the message through Zix infrastructure to inherit enterprise authentication. |
| Three Domains, Two Brands, One Frankenphish: The DocuSign Lure That Led to Mailchimp | A DocuSign-themed email stitched together Lloyds Banking Group Qualtrics survey blocks, resolved its CTA to Mailchimp. |
| Every Link Said U.S. Bank. Every Link Went Through Brevo. | A U.S. |
| The DocuSign That Lived on an S3 Bucket (and Couldn't Decide Who Sent It) | A DocuSign phishing email passed SPF, DKIM, and DMARC for a real K-12 school district domain. |