Lookalike Domain With Full Authentication Sends a Zero-Payload Trust-Building Email

The email looked like a routine follow-up from a known vendor contact. The display name matched. The tone was conversational, referencing a recent phone call. The sender offered to discuss business services and signed off casually. SPF had mixed results at different relay hops, but DKIM passed cleanly and DMARC aligned. By every protocol-level signal, this was a legitimate message from a legitimate domain.

The domain was wrong. Not the legitimate abboworks-leadgen[.]nl the recipient's organization had corresponded with before. This came from abboworks-sales[.]nl, a separate domain with no verifiable corporate presence, no public website, and a different registrar profile. The display name was borrowed. The domain was purpose-built.

There was nothing to detonate. No links, no attachments, no credential forms, no payment instructions. The entire payload was trust.

Two Domains, One Identity

The legitimate contact operates from abboworks-leadgen[.]nl. The attacker registered abboworks-sales[.]nl, preserving the "abboworks" brand anchor and swapping only the functional suffix. Both domains are plausible business addresses. Both follow a common enterprise naming convention where companies maintain separate domains for different functions: lead generation, sales, support, billing.

The registrar for abboworks-sales[.]nl is team.blue, a European registrar and hosting group. The domain has no public-facing website. No corporate directory listing. No LinkedIn presence. No digital footprint beyond the DNS records required to send authenticated email.

This is MITRE ATT&CK T1583.001 (Acquire Infrastructure: Domains). The attacker registered a domain specifically to exploit the naming proximity to a known vendor's legitimate infrastructure. The single-word swap ("sales" for "leadgen") is calculated. On a mobile device or in a preview pane, abboworks-sales[.]nl and abboworks-leadgen[.]nl are nearly indistinguishable.

See Your Risk: Calculate how many threats your SEG is missing right now

Authentication Passes Because the Attacker Owns the Domain

The email's authentication results tell a story that looks clean:

• DKIM: pass. The message carried a valid DKIM signature aligned to abboworks-sales[.]nl. The attacker configured signing keys on the domain they controlled.
• DMARC: pass. DMARC requires at least one aligned authenticated identifier. DKIM alignment was sufficient.
• SPF: mixed. Some relay hops returned SPF=fail due to the message routing through eu1.smtp.exclaimer[.]net, an Exclaimer email signature management service in the relay path. Other hops returned SPF=pass. The SPF inconsistency is a side effect of the relay chain, not a misconfiguration.

DMARC passed because DKIM passed and aligned. That is all DMARC requires. The protocol confirmed that the sender controlled abboworks-sales[.]nl and was authorized to send from it. DMARC does not evaluate whether abboworks-sales[.]nl has any relationship to abboworks-leadgen[.]nl. It does not check whether the domain belongs to the entity the display name claims to represent. It validates domain ownership, not domain legitimacy.

This is the structural gap in authentication-dependent gateways. When the attacker controls the sending domain and configures the DNS records correctly, every protocol-level check returns green. According to the FBI's 2023 Internet Crime Report, business email compromise accounted for $2.9 billion in reported losses, with lookalike domains and display-name impersonation among the most common techniques.

The Conversational Payload

The email body was short. It addressed "[Recipient]" by name, referenced a phone conversation, and offered to "holisticly host killer technologies." The misspelling of "holisticly" (missing the second "al") is notable. The phrasing reads like generated marketing copy rather than natural conversation.

A trailing alphanumeric token, 4b7e5dj-y2cN-deefc-, appeared at the end of the message body. This is a campaign tracking artifact, the kind of string an automated platform appends to correlate responses back to specific campaign batches. Legitimate business emails do not carry naked tracking tokens in the visible body text.

Generated phrasing, a misspelling, and a visible tracking artifact point to automated campaign infrastructure. This was not a manually crafted message. It was one instance from a batch, sent to establish conversational threads across multiple targets simultaneously.

This is MITRE ATT&CK T1656 (Impersonation). The display name matched a known contact. The domain approximated the known contact's legitimate domain. The conversational framing referenced a shared interaction.

Zero Payload, Maximum Setup

The email contained no links. No attachments. No credential harvesting forms. No payment instructions. Nothing a content scanner or sandbox could flag as malicious.

This is a trust-building email. The goal is to get a reply. Once the recipient responds, the attacker confirms a live mailbox, the email client creates a thread, and the next message in that thread carries the invoice, wire transfer instructions, or credential request inside an established conversation with a "known" contact.

This is the opening move in a vendor email compromise sequence. The pattern maps to MITRE ATT&CK T1598 (Phishing for Information). The attacker is gathering information about the recipient's responsiveness and willingness to engage before introducing a financial demand.

The Signal That Stopped It

Content-based scanning had nothing to work with. No URLs to sandbox. No attachments to detonate. No keywords matching known fraud templates.

IRONSCALES Adaptive AI flagged the message on behavioral signals:

• Domain mismatch against known contact. The display name matched a contact the organization had corresponded with, but the sending domain did not match the domain historically associated with that contact. The known contact sends from abboworks-leadgen[.]nl. This message came from abboworks-sales[.]nl.
• First-time sender domain. Despite the familiar display name, abboworks-sales[.]nl had no prior sending history to this organization. A known contact sending from a previously unseen domain is a high-confidence impersonation signal.
• Zero-payload anomaly from an unestablished domain. A conversational email with no actionable content from a first-time domain fits the behavioral profile of a trust-building probe.

The message was quarantined before any recipient replied. No thread was established. The trust-building attempt failed at the first exchange.

Indicators of Compromise

What Defenders Should Take From This

Treat domain-level authentication as necessary but insufficient for vendor correspondence. DKIM and DMARC passing confirms that the sender controls the domain, not that the domain belongs to who the display name claims. Lookalike domains with full authentication are trivial to create.

Monitor for domain drift in established vendor relationships. When a known contact's display name appears on a new sending domain, that is a high-confidence impersonation signal regardless of authentication results. A sender-domain relationship graph is the detection mechanism that catches this.

Do not dismiss zero-payload emails as benign. The absence of links, attachments, and financial requests does not mean the absence of threat. Zero-payload emails are the setup phase of multi-stage BEC campaigns. The financial damage arrives in message two or three, inside a thread the recipient already trusts.

Watch for campaign artifacts in message bodies. Visible tracking tokens, generated phrasing, and mechanical misspellings indicate automated infrastructure. Legitimate business contacts do not leave batch correlation strings in their emails.