The subject line reads like a legal notice that requires immediate attention. The sender claims a professional title. The email arrives with BCC recipients hidden, which means the recipient cannot tell how many other people received the same message. There is no attached lawsuit. There is a link.
This is urgency-manufacturing phishing. The attacker does not need sophisticated infrastructure when the social engineering pressure is strong enough to move a recipient to click before they think to verify the sender.
The message subject contained both Hebrew and English text presenting the email as a legal notification. This bilingual framing is deliberate. Multilingual subject lines can sidestep keyword filters optimized for a single language, while the formal register of legal terminology activates a specific psychological response: recipients who believe they are under legal threat act faster and verify less carefully.
The From address was a personal Gmail account. The sender presented a fabricated professional title in the display name, which served as a credibility signal for a recipient glancing quickly at the sender field. The account itself had no prior contact history with the targeted organization, a fact the behavioral analysis layer recorded.
BCC delivery is the structural tell. A legitimate legal notice arrives addressed to the specific recipient. A mass-BCC delivery is addressed to "undisclosed-recipients," meaning the attacker is running the same lure against an address list simultaneously, with each recipient seeing a personalized-looking but actually templated message. The BCC pattern is standard phishing-at-scale infrastructure.
The body of the message contained a single outbound link delivered through the short[.]gy URL shortener service, specifically uepk9u.short[.]gy/DJp0Jm.
Short.gy is a legitimate URL shortening product. Its domain carries clean reputation with every major URL scanning service. When a gateway or sandbox evaluates this link, it scores short.gy as benign and closes the analysis. The actual destination, hxxps://feature[.]chongdaotang[.]net/Wx6Ld3KlNmuU4tT@tDVpJltq5/, is only reached by a client that follows the redirect through to completion.
chongdaotang[.]net was registered in November 2023. The registration was privacy-protected at the time of analysis, with all contact details masked by a proxy service. IRONSCALES link analysis rated the resolved destination Malicious.
See Your Risk: Calculate how many threats your SEG is missing
The November 2023 registration date places this domain in attacker infrastructure territory rather than compromised-legitimate infrastructure: a domain created roughly two years before the observed campaign that carries no visible legitimate business identity and hosts a confirmed malicious page. The path structure (/Wx6Ld3KlNmuU4tT@tDVpJltq5/) is consistent with per-victim tracking tokens used by credential-harvest platforms to associate submitted credentials with a specific target.
The single most valuable asset in this campaign was not the attacker domain or the shortener. It was the Gmail account used to send the message.
Every authentication check passed. SPF, DKIM, and DMARC all verified correctly because the message genuinely originated from Google infrastructure. The composite authentication result was clean. A gateway filtering on authentication metadata alone had no signal to act on.
Email spoofing typically involves forging a sender address from a domain the attacker does not control. This campaign does something different: it sends from a real free-mail account, borrowing Google's accumulated sender reputation without forging anything. The attacker simply created a Gmail account, attached a display name that sounds professional, and sent the campaign through Google's own servers.
The mismatch that matters is between the sender's claimed authority (legal action, professional title) and the sender's actual infrastructure (a free-mail account with no organizational affiliation, no domain authentication on the claimed identity). That mismatch is not visible in the authentication headers. It requires behavioral and contextual analysis.
IRONSCALES Adaptive AI flagged this message at 90% confidence under the classification "Legal Threat Lure." The detection did not rest on a blacklisted domain or a failed authentication check. It rested on the convergence of signals that do not fit any normal communication pattern:
A sender with no prior relationship to the recipient organization delivered a high-pressure legal-threat message. The only outbound link was wrapped behind a URL shortener. The shortener resolved to a domain registered two years earlier with full privacy protection. The sending account was a personal free-mail account presenting an unverifiable professional title. BCC delivery was used to hide the mass-send scale.
None of these signals alone is definitive. Combined in a single message, they describe a phishing campaign with no legitimate explanation.
Credential harvesting campaigns that route through shorteners present a structural problem for defenses that score URLs on the hostname in the email body rather than following the full redirect chain to the final destination. The shortener hostname is clean. The attacker domain behind it is malicious. Any defense that stops at the first hop misses the threat entirely.
The Verizon DBIR 2026 reports that phishing remains the dominant initial access vector in social engineering breaches. Legal-threat lures target professional email recipients specifically because the framing creates a sense that non-engagement carries risk. The MITRE ATT&CK framework classifies this delivery pattern as Spearphishing Link (T1566.002), with URL shortener use as an evasion sub-technique for URL analysis. CISA advises recipients to verify any unexpected legal contact through the organization's official contact channels before following any embedded link.
For security teams, the defensive posture here requires following shortened URLs all the way to their final destination before scoring, not stopping at the shortener's homepage. Any defense that delegates URL reputation to the shortener provider's domain is, by design, blind to the attack.
---
| Type | Indicator | Context |
|---|---|---|
| URL | uepk9u.short[.]gy/DJp0Jm | Shortener link in phishing body; resolves to attacker domain |
| URL | hxxps://feature[.]chongdaotang[.]net/Wx6Ld3KlNmuU4tT@tDVpJltq5/ | Final redirect destination; rated Malicious by scanner |
| Domain | chongdaotang[.]net | Attacker domain registered November 2023; privacy-protected |
| Auth Result | spf=pass; dkim=pass; dmarc=pass | All pass because sender used legitimate Google infrastructure |
| Attack | What happened |
|---|---|
| The Webinar Invite That Came With an Apple Wallet Pass and a Three-Hop Redirect Chain | A Google Calendar invite for a fake AI webinar passed full authentication and carried an .ics file, an Apple Wallet .pkpass. |
| The Bank Statement You Had to Unlock With Your Birthday: PII-Gated PDF Evasion From Authenticated Infrastructure | A fully authenticated email from banking infrastructure delivered a password-protected PDF that required the recipient's mobile number and date of birth... |
| Sign Here, Get Phished: Inside an Adobe Sign Lure With a Multi-Hop Redirect to Credential Theft | An Adobe Sign e-signature lure routed recipients through a multi-hop redirect chain ending at fameklinik[.]com. |
| DocuSign Plus Invoice: A 12-Day-Old Domain and an esvalabs Redirect Chain That Scanners Missed | A phishing campaign combined DocuSign branding with an invoice thread pretext, sent from a 12-day-old privacy-protected domain via Amazon SES. |
| When the Phishing Kit Ships Early: Exposed Template Variables Reveal Attack Infrastructure | A premature phishing kit deployment exposed raw template variables in the subject line and a placeholder URL. |