• Blog
  • The Invoice Portal Link That Didn't Need a Password

The Invoice Portal Link That Didn't Need a Password

Table of Contents

    TL;DR An invoice notification arrived from the accounting subdomain of a global organic certification body, sent through Mailgun with full SPF, DKIM, and DMARC authentication (compauth=100). The email directed the recipient to a customer portal via a tokenized URL containing a JWT with portal.view permissions and a 60-day expiration. Anyone with that link could access the billing portal without credentials. The attached PDF invoice included a French IBAN and BIC at a major European bank for a 380 euro payment. A 1x1 tracking pixel confirmed mailbox activity. Four mailboxes were quarantined. Themis flagged the invoice phishing pattern at 71% confidence.
    Severity: High Invoice Fraud Credential Harvesting MITRE: {'id': 'T1566.002', 'name': 'Phishing: Spearphishing Link'} MITRE: {'id': 'T1078', 'name': 'Valid Accounts'} MITRE: {'id': 'T1589.001', 'name': 'Gather Victim Identity Information: Credentials'}

    The link passed every URL scanner. It pointed to a real billing portal on a real platform. It did not need a password to work.

    A French-language invoice notification arrived at a global specialty ingredients manufacturer from comptabilitegreenlife@accounting[.]ecocert[.]com. Ecocert is a legitimate international organic certification body with a domain registered since 1998. The message was delivered through Mailgun infrastructure with full SPF, DKIM, and DMARC authentication, scoring compauth=100. Every technical check confirmed the sending domain authorized this email.

    A JWT That Replaced the Login Page

    The email contained a link to a customer billing portal at app[.]upflow[.]io, routed through a redirect at upflow-email[.]accounting[.]ecocert[.]com. The destination URL included a JWT access token with portal.view permissions, a 60-day expiration window, and a customer identifier. Decoding the token revealed the full permission structure: anyone who clicked the link received authenticated read access to the billing portal without entering credentials.

    This design pattern is common in legitimate transactional email. Billing platforms embed session tokens so customers can review invoices without logging in. The security problem is that the same token works for anyone who possesses the URL. If the email is forwarded, intercepted, or delivered to a mailbox the attacker controls, the token grants access to the same billing view as the intended recipient.

    IBAN in the PDF, Pixel in the HTML

    The attached PDF invoice (91KB, declared clean by scanners) referenced invoice number FR03IN26001665 for 380 euros, payable via IBAN at a major European bank. The email body also offered credit card and SEPA direct debit as payment options through the portal. A 1x1 tracking pixel loaded from the same upflow-email subdomain confirmed the mailbox was active and the message was rendered.

    The Reply-To address (comptabilitegreenlife@ecocert[.]com) differed from the From address (comptabilitegreenlife@accounting[.]ecocert[.]com), a subtle subdomain mismatch. The email security gateway saw clean links, valid authentication, and a known billing platform. Themis identified the invoice phishing pattern and quarantined four affected mailboxes automatically.

    See Your Risk: Calculate how many threats your SEG is missing

    Indicators of Compromise

    TypeIndicatorContext
    Sending Domainaccounting[.]ecocert[.]comSubdomain of ecocert.com (registered 1998)
    Sending Addresscomptabilitegreenlife@accounting[.]ecocert[.]comDisplay name: "GREENLIFE"
    Reply-Tocomptabilitegreenlife@ecocert[.]comSubdomain mismatch with From
    Sending InfrastructureMailgun (v5226[.]v57ae4e16[.]euw1[.]send[.]eu[.]mailgun[.]net)IP: 161[.]38[.]204[.]226
    DKIM SelectormgufSigning domain: accounting[.]ecocert[.]com
    Auth ResultsSPF: pass, DKIM: pass, DMARC: passcompauth=100
    Portal URLapp[.]upflow[.]io/customers/[uuid]?token=[JWT]JWT with portal.view scope, 60-day TTL
    Tracking Pixelupflow-email[.]accounting[.]ecocert[.]com/o/[encoded]1x1 mailbox activity confirmation
    AttachmentFacture-FR03IN26001665.pdf91KB, IBAN/BIC payment details

    MITRE ATT&CK Mapping

    TechniqueIDRelevance
    Phishing: Spearphishing LinkT1566.002Tokenized portal URL with embedded JWT
    Valid AccountsT1078JWT grants portal access without credentials
    Gather Victim Identity Information: CredentialsT1589.001Tracking pixel confirms active mailbox
    Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.

    Related attacks

    Attack What happened
    The Invoice Was in Hebrew, the HTML Attachment Called Localhost, and Every Authentication Check PassedA Hebrew-language invoice from an Israeli manufacturers association passed SPF, DKIM, and DMARC.
    The SOC Alert That Came From a Compromised FinTech: An Authenticated BlueVine Sender Delivering a Typosquat Link Buried in Operational ContextA fully authenticated email from bluevine.com impersonated an internal SOC quarantine notification.
    Compromised Manufacturer Domain Delivers Toyota Financial Invoice Lures with Perfect AuthenticationA compromised manufacturing company's M365 account sent Toyota Financial invoice lures that passed every authentication check.
    When the Safety Wrapper Becomes the Disguise: Brazilian NF-e Phishing via Safe Links RewriteA Portuguese-language invoice lure authenticated through a compromised Brazilian domain used is.gd to hide its payload.
    When the Sender Domain Is Also the Phishing Kit Host: Dual-Purpose Domain CompromiseAn attacker compromised a legitimate manufacturing company domain and used it two ways at once: as the authenticated sending address and as the host for...

    Explore More Articles

    Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.

    Three Security Wrappers, One Redirect to a Google Docs Phishing Page Phishing

    Three Security Wrappers, One Redirect to a Google...

    TL;DR A credential-harvesting campaign impersonated a document-sharing notification and routed its...

    Audian Paxson
    The Government Card Alert That Lost Its Authentication in Transit Phishing

    The Government Card Alert That Lost Its...

    TL;DR A card replacement notification arrived claiming to be from Direct Express, the US...

    Audian Paxson
    The Law Firm Document That Linked to a Cleaning Company Phishing

    The Law Firm Document That Linked to a Cleaning...

    TL;DR A phishing email from a UAE law firm domain passed SPF, DKIM, and DMARC with compauth=100,...

    Audian Paxson
    Three Security Wrappers, One Redirect to a Google Docs Phishing Page Phishing

    Three Security Wrappers, One Redirect to a Google...

    TL;DR A credential-harvesting campaign impersonated a document-sharing notification and routed its...

    Audian Paxson
    The Government Card Alert That Lost Its Authentication in Transit Phishing

    The Government Card Alert That Lost Its...

    TL;DR A card replacement notification arrived claiming to be from Direct Express, the US...

    Audian Paxson
    The Law Firm Document That Linked to a Cleaning Company Phishing

    The Law Firm Document That Linked to a Cleaning...

    TL;DR A phishing email from a UAE law firm domain passed SPF, DKIM, and DMARC with compauth=100,...

    Audian Paxson
    Three Security Wrappers, One Redirect to a Google Docs Phishing Page Phishing

    Three Security Wrappers, One Redirect to a Google...

    TL;DR A credential-harvesting campaign impersonated a document-sharing notification and routed its...

    Audian Paxson
    The Government Card Alert That Lost Its Authentication in Transit Phishing

    The Government Card Alert That Lost Its...

    TL;DR A card replacement notification arrived claiming to be from Direct Express, the US...

    Audian Paxson
    The Law Firm Document That Linked to a Cleaning Company Phishing

    The Law Firm Document That Linked to a Cleaning...

    TL;DR A phishing email from a UAE law firm domain passed SPF, DKIM, and DMARC with compauth=100,...

    Audian Paxson
    Three Security Wrappers, One Redirect to a Google Docs Phishing Page Phishing

    Three Security Wrappers, One Redirect to a Google...

    TL;DR A credential-harvesting campaign impersonated a document-sharing notification and routed its...

    Audian Paxson
    The Government Card Alert That Lost Its Authentication in Transit Phishing

    The Government Card Alert That Lost Its...

    TL;DR A card replacement notification arrived claiming to be from Direct Express, the US...

    Audian Paxson
    The Law Firm Document That Linked to a Cleaning Company Phishing

    The Law Firm Document That Linked to a Cleaning...

    TL;DR A phishing email from a UAE law firm domain passed SPF, DKIM, and DMARC with compauth=100,...

    Audian Paxson