What is a tooltip URL mismatch in phishing?

HTML allows the title attribute on a link to display hover text (tooltip) that differs from the actual href destination. Attackers set the tooltip to show a trusted domain like a procurement portal while the real link points to an attacker-controlled site. Recipients who hover over the button see the legitimate URL and assume the link is safe.

Why do phishing emails use BCC delivery?

BCC (blind carbon copy) hides the actual recipients from the To field. Attackers address the To field to themselves or a decoy address and BCC the real targets. This prevents recipients from seeing who else received the message, reduces the chance of coordinated reporting, and makes the email appear personally addressed rather than mass-distributed.

Can a fully authenticated email still be phishing?

Yes. SPF, DKIM, and DMARC confirm that the sending infrastructure is authorized by the domain owner. If the domain owner's account is compromised, or if the attacker registers their own domain with proper authentication records, all three checks pass. Authentication verifies the sending domain, not the sender's intent.

Phishing Impersonation Email Security IRONSCALES Attack Research Credential Theft AI SOC 2026 Attack of the Day

The Law Firm Document That Linked to a Cleaning Company

Audian Paxson June 18, 2026

TL;DR A phishing email from a UAE law firm domain passed SPF, DKIM, and DMARC with compauth=100, sent through Google infrastructure. The message impersonated a legal document-sharing notification with a Review and Sign CTA. The actual CTA link pointed to access[.]genesiscleaningusa[.]com, a subdomain belonging to a US commercial cleaning company. The HTML tooltip on the button displayed supplier[.]coupahost[.]com, a Coupa procurement portal URL that did not match the actual destination. The To header addressed a different domain (hhslawyers[.]com) than the From domain (hhslawyer[.]ae), and the actual recipient was BCC'd. Microsoft scored the message at SCL=5. Four mailboxes were quarantined. Themis flagged credential theft targeting VIP recipients at 57% confidence.

Severity: High Credential Harvesting Brand Impersonation MITRE: {'id': 'T1566.002', 'name': 'Phishing: Spearphishing Link'} MITRE: {'id': 'T1036.005', 'name': 'Masquerading: Match Legitimate Name or Location'} MITRE: {'id': 'T1204.001', 'name': 'User Execution: Malicious Link'}

The authentication was perfect. The brand looked credible. The button linked to a cleaning company.

A message from t[.]manzoor@hhslawyer[.]ae arrived at a global specialty ingredients manufacturer presenting itself as a shared legal document notification. The email displayed the branding of a UAE-based law firm, referenced document #01179 for "Legal Consulting Services, Statement and Proposals," and included a blue "Review Document" button. SPF, DKIM, and DMARC all passed with compauth=100. The message was sent through Google's mail infrastructure with a valid DKIM signature under the hhslawyer[.]ae domain.

Three Mismatches in One Email

The first mismatch was the CTA destination. The "Review Document" button linked to access[.]genesiscleaningusa[.]com/workspace/, a subdomain belonging to a US commercial cleaning services company. The HTML title attribute on the button displayed supplier[.]coupahost[.]com/invoices, a Coupa procurement portal URL. Neither domain had any relationship to a UAE law firm or to legal document signing.

The second mismatch was the domain pair. The From address used hhslawyer[.]ae (singular, UAE country code), while the To header addressed t[.]manzoor@hhslawyers[.]com (plural, generic .com). Two domains, one letter apart, operated by different entities. The actual target was not in the To field at all. The recipient was delivered the message via BCC, hiding them from the visible addressing.

The third mismatch was the content framing. The subject line referenced legal consulting services and proposals. The email body used a document-sharing template with a disclaimer block, but the CTA pointed to a procurement workspace, not a document management platform.

Authentication Was Not the Problem

Every technical authentication check passed. The sender controlled the hhslawyer[.]ae domain and configured it correctly with Google Workspace. Microsoft's own scoring flagged the message at SCL=5 (PotentialSpam), catching the behavioral anomalies that authentication could not. Themis identified the credential theft pattern, the VIP targeting, and the first-time sender signal, then quarantined four affected mailboxes within seconds of delivery.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

Type	Indicator	Context
Sending Domain	`hhslawyer[.]ae`	UAE law firm domain, Google Workspace
Sending Address	`t[.]manzoor@hhslawyer[.]ae`	Display name: "Tawqeer \	HHS"
To Header Domain	`hhslawyers[.]com`	Different domain from From (plural, .com)
CTA URL	`access[.]genesiscleaningusa[.]com/workspace/`	US cleaning company subdomain
Tooltip URL	`supplier[.]coupahost[.]com/invoices`	Coupa procurement portal (mismatched)
Auth Results	SPF: pass, DKIM: pass, DMARC: pass	compauth=100
SCL	5	PotentialSpam flag set
Delivery Method	BCC	Recipient hidden from To/CC fields

MITRE ATT&CK Mapping

Technique	ID	Relevance
Phishing: Spearphishing Link	T1566.002	CTA button to credential harvesting page
Masquerading: Match Legitimate Name or Location	T1036.005	Law firm brand used as trust anchor
User Execution: Malicious Link	T1204.001	"Review Document" button designed to trigger click

Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.

Related attacks

Attack	What happened
The Subdomain That Fused Two Trusted Brands Into One Convincing Lie	Attackers fused two real brand names into a single subdomain, routed the message through Zix infrastructure to inherit enterprise authentication.
When 'Release from Quarantine' Is the Attack	A fake quarantine digest weaponized email security workflows, embedding JWT tokens in 'Allow' and 'Manage' buttons while masking one link's true...
Fake Google 'Open to Edit' Alert Hides a Kajabi Redirect and Targeted Credential Harvest	An attacker impersonated Google Docs through a compromised healthcare domain.
The Email That Passed Every Security Check (Because Adobe Sent It)	A phishing campaign targeting school district staff used Adobe's own sending infrastructure, real DKIM signatures.
Four Domains, One Email: The DocuSign Homoglyph That Rode a CDR Allow-List	A single email used four unrelated domains, a zero-for-O homoglyph in the DocuSign display name, a Mailchimp redirect as the primary CTA.

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.

For Enterprises

For MSPs & MSSPs

Protect Better

Simplify Operations

Empower Your Org

17,000+ Customers and Counting

Case Studies

Reviews

Osterman Research: The (Higher) Business Cost of Phishing

Case Study: Telit

Our Awards

How IRONSCALES Works

Platform Overview

API Integration

Artificial Intelligence

Human Element

Agentic Capabilities

Agents Overview

Red-Teaming Agent

Phishing SOC Agent

Phishing Simulation Agent

Platform Tours

BY USE CASE

Business Email Compromise

Advanced Malware & URL Attacks

Account Takeover Attacks

Email Encryption

Deepfake Attack Protection

DMARC Management

Phishing Simulation Testing

Security Awareness Training

BY PLATFORM

BY PROJECT

BY INDUSTRY

BY ROLE

LEARN

Blog

Threat Intelligence Center

Cybersecurity Glossary

Resource Library

Guides

Platform Tours

CONNECT

Events

Newsletter

LinkedIn

The Hidden Gaps in SEG Protection

New Gartner® Email Security Magic Quadrant™

Attack of the Day Explorer

Phishing Prevention

Spear Phishing

Voice Phishing

BY TYPE

MSPs and MSSPs

Resellers

Technology Partners

ENGAGE

Become Partner

Partner Portal

Partner with IRONSCALES