The Law Firm Document That Linked to a Cleaning Company

Written by Audian Paxson | Jun 18, 2026 11:00:00 AM

TL;DR A phishing email from a UAE law firm domain passed SPF, DKIM, and DMARC with compauth=100, sent through Google infrastructure. The message impersonated a legal document-sharing notification with a Review and Sign CTA. The actual CTA link pointed to access[.]genesiscleaningusa[.]com, a subdomain belonging to a US commercial cleaning company. The HTML tooltip on the button displayed supplier[.]coupahost[.]com, a Coupa procurement portal URL that did not match the actual destination. The To header addressed a different domain (hhslawyers[.]com) than the From domain (hhslawyer[.]ae), and the actual recipient was BCC'd. Microsoft scored the message at SCL=5. Four mailboxes were quarantined. Themis flagged credential theft targeting VIP recipients at 57% confidence.

Severity: High Credential Harvesting Brand Impersonation MITRE: {'id': 'T1566.002', 'name': 'Phishing: Spearphishing Link'} MITRE: {'id': 'T1036.005', 'name': 'Masquerading: Match Legitimate Name or Location'} MITRE: {'id': 'T1204.001', 'name': 'User Execution: Malicious Link'}

The authentication was perfect. The brand looked credible. The button linked to a cleaning company.

A message from t[.]manzoor@hhslawyer[.]ae arrived at a global specialty ingredients manufacturer presenting itself as a shared legal document notification. The email displayed the branding of a UAE-based law firm, referenced document #01179 for "Legal Consulting Services, Statement and Proposals," and included a blue "Review Document" button. SPF, DKIM, and DMARC all passed with compauth=100. The message was sent through Google's mail infrastructure with a valid DKIM signature under the hhslawyer[.]ae domain.

Three Mismatches in One Email

The first mismatch was the CTA destination. The "Review Document" button linked to access[.]genesiscleaningusa[.]com/workspace/, a subdomain belonging to a US commercial cleaning services company. The HTML title attribute on the button displayed supplier[.]coupahost[.]com/invoices, a Coupa procurement portal URL. Neither domain had any relationship to a UAE law firm or to legal document signing.

The second mismatch was the domain pair. The From address used hhslawyer[.]ae (singular, UAE country code), while the To header addressed t[.]manzoor@hhslawyers[.]com (plural, generic .com). Two domains, one letter apart, operated by different entities. The actual target was not in the To field at all. The recipient was delivered the message via BCC, hiding them from the visible addressing.

The third mismatch was the content framing. The subject line referenced legal consulting services and proposals. The email body used a document-sharing template with a disclaimer block, but the CTA pointed to a procurement workspace, not a document management platform.

Authentication Was Not the Problem

Every technical authentication check passed. The sender controlled the hhslawyer[.]ae domain and configured it correctly with Google Workspace. Microsoft's own scoring flagged the message at SCL=5 (PotentialSpam), catching the behavioral anomalies that authentication could not. Themis identified the credential theft pattern, the VIP targeting, and the first-time sender signal, then quarantined four affected mailboxes within seconds of delivery.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

Type	Indicator	Context
Sending Domain	`hhslawyer[.]ae`	UAE law firm domain, Google Workspace
Sending Address	`t[.]manzoor@hhslawyer[.]ae`	Display name: "Tawqeer \	HHS"
To Header Domain	`hhslawyers[.]com`	Different domain from From (plural, .com)
CTA URL	`access[.]genesiscleaningusa[.]com/workspace/`	US cleaning company subdomain
Tooltip URL	`supplier[.]coupahost[.]com/invoices`	Coupa procurement portal (mismatched)
Auth Results	SPF: pass, DKIM: pass, DMARC: pass	compauth=100
SCL	5	PotentialSpam flag set
Delivery Method	BCC	Recipient hidden from To/CC fields

MITRE ATT&CK Mapping

Technique	ID	Relevance
Phishing: Spearphishing Link	T1566.002	CTA button to credential harvesting page
Masquerading: Match Legitimate Name or Location	T1036.005	Law firm brand used as trust anchor
User Execution: Malicious Link	T1204.001	"Review Document" button designed to trigger click

Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.

Related attacks

Attack	What happened
The Subdomain That Fused Two Trusted Brands Into One Convincing Lie	Attackers fused two real brand names into a single subdomain, routed the message through Zix infrastructure to inherit enterprise authentication.
When 'Release from Quarantine' Is the Attack	A fake quarantine digest weaponized email security workflows, embedding JWT tokens in 'Allow' and 'Manage' buttons while masking one link's true...
Fake Google 'Open to Edit' Alert Hides a Kajabi Redirect and Targeted Credential Harvest	An attacker impersonated Google Docs through a compromised healthcare domain.
The Email That Passed Every Security Check (Because Adobe Sent It)	A phishing campaign targeting school district staff used Adobe's own sending infrastructure, real DKIM signatures.
Four Domains, One Email: The DocuSign Homoglyph That Rode a CDR Allow-List	A single email used four unrelated domains, a zero-for-O homoglyph in the DocuSign display name, a Mailchimp redirect as the primary CTA.

View full post