The Invoice Portal Link That Didn't Need a Password

Written by Audian Paxson | Jun 17, 2026 11:00:00 AM

TL;DR An invoice notification arrived from the accounting subdomain of a global organic certification body, sent through Mailgun with full SPF, DKIM, and DMARC authentication (compauth=100). The email directed the recipient to a customer portal via a tokenized URL containing a JWT with portal.view permissions and a 60-day expiration. Anyone with that link could access the billing portal without credentials. The attached PDF invoice included a French IBAN and BIC at a major European bank for a 380 euro payment. A 1x1 tracking pixel confirmed mailbox activity. Four mailboxes were quarantined. Themis flagged the invoice phishing pattern at 71% confidence.

Severity: High Invoice Fraud Credential Harvesting MITRE: {'id': 'T1566.002', 'name': 'Phishing: Spearphishing Link'} MITRE: {'id': 'T1078', 'name': 'Valid Accounts'} MITRE: {'id': 'T1589.001', 'name': 'Gather Victim Identity Information: Credentials'}

The link passed every URL scanner. It pointed to a real billing portal on a real platform. It did not need a password to work.

A French-language invoice notification arrived at a global specialty ingredients manufacturer from comptabilitegreenlife@accounting[.]ecocert[.]com. Ecocert is a legitimate international organic certification body with a domain registered since 1998. The message was delivered through Mailgun infrastructure with full SPF, DKIM, and DMARC authentication, scoring compauth=100. Every technical check confirmed the sending domain authorized this email.

A JWT That Replaced the Login Page

The email contained a link to a customer billing portal at app[.]upflow[.]io, routed through a redirect at upflow-email[.]accounting[.]ecocert[.]com. The destination URL included a JWT access token with portal.view permissions, a 60-day expiration window, and a customer identifier. Decoding the token revealed the full permission structure: anyone who clicked the link received authenticated read access to the billing portal without entering credentials.

This design pattern is common in legitimate transactional email. Billing platforms embed session tokens so customers can review invoices without logging in. The security problem is that the same token works for anyone who possesses the URL. If the email is forwarded, intercepted, or delivered to a mailbox the attacker controls, the token grants access to the same billing view as the intended recipient.

IBAN in the PDF, Pixel in the HTML

The attached PDF invoice (91KB, declared clean by scanners) referenced invoice number FR03IN26001665 for 380 euros, payable via IBAN at a major European bank. The email body also offered credit card and SEPA direct debit as payment options through the portal. A 1x1 tracking pixel loaded from the same upflow-email subdomain confirmed the mailbox was active and the message was rendered.

The Reply-To address (comptabilitegreenlife@ecocert[.]com) differed from the From address (comptabilitegreenlife@accounting[.]ecocert[.]com), a subtle subdomain mismatch. The email security gateway saw clean links, valid authentication, and a known billing platform. Themis identified the invoice phishing pattern and quarantined four affected mailboxes automatically.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

Type	Indicator	Context
Sending Domain	`accounting[.]ecocert[.]com`	Subdomain of ecocert.com (registered 1998)
Sending Address	`comptabilitegreenlife@accounting[.]ecocert[.]com`	Display name: "GREENLIFE"
Reply-To	`comptabilitegreenlife@ecocert[.]com`	Subdomain mismatch with From
Sending Infrastructure	Mailgun (`v5226[.]v57ae4e16[.]euw1[.]send[.]eu[.]mailgun[.]net`)	IP: `161[.]38[.]204[.]226`
DKIM Selector	`mguf`	Signing domain: `accounting[.]ecocert[.]com`
Auth Results	SPF: pass, DKIM: pass, DMARC: pass	compauth=100
Portal URL	`app[.]upflow[.]io/customers/[uuid]?token=[JWT]`	JWT with portal.view scope, 60-day TTL
Tracking Pixel	`upflow-email[.]accounting[.]ecocert[.]com/o/[encoded]`	1x1 mailbox activity confirmation
Attachment	`Facture-FR03IN26001665.pdf`	91KB, IBAN/BIC payment details

MITRE ATT&CK Mapping

Technique	ID	Relevance
Phishing: Spearphishing Link	T1566.002	Tokenized portal URL with embedded JWT
Valid Accounts	T1078	JWT grants portal access without credentials
Gather Victim Identity Information: Credentials	T1589.001	Tracking pixel confirms active mailbox

Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.

Related attacks

Attack	What happened
The Invoice Was in Hebrew, the HTML Attachment Called Localhost, and Every Authentication Check Passed	A Hebrew-language invoice from an Israeli manufacturers association passed SPF, DKIM, and DMARC.
The SOC Alert That Came From a Compromised FinTech: An Authenticated BlueVine Sender Delivering a Typosquat Link Buried in Operational Context	A fully authenticated email from bluevine.com impersonated an internal SOC quarantine notification.
Compromised Manufacturer Domain Delivers Toyota Financial Invoice Lures with Perfect Authentication	A compromised manufacturing company's M365 account sent Toyota Financial invoice lures that passed every authentication check.
When the Safety Wrapper Becomes the Disguise: Brazilian NF-e Phishing via Safe Links Rewrite	A Portuguese-language invoice lure authenticated through a compromised Brazilian domain used is.gd to hide its payload.
When the Sender Domain Is Also the Phishing Kit Host: Dual-Purpose Domain Compromise	An attacker compromised a legitimate manufacturing company domain and used it two ways at once: as the authenticated sending address and as the host for...

View full post