One Missing Letter, Four Redirected Invoices: The Lookalike Domain That Almost Worked

The difference between techniform.com and technlform.com is a single letter. One is a legitimate industrial vendor with a domain registered in 1996. The other was created in February 2026 for one purpose: to redirect four invoice payments totaling over $100,000 to an attacker-controlled bank account.

The email arrived at an energy company's accounts payable mailbox on a Thursday afternoon, threaded into an existing invoice conversation. It referenced real invoice numbers, used the vendor's actual branding, and asked the recipient to process updated ACH banking details. SPF passed. DKIM passed. Three enterprise email gateways processed it without objection.

The only thing wrong was a single missing "i."

The Anatomy of a One-Character Deception

The attacker registered technlform[.]com, a typosquatting variant of the real vendor domain techniform[.]com, dropping the letter "i" from position six. At a glance, the two are indistinguishable. The lookalike domain was only weeks old at the time of the attack, according to WHOIS records.

The phishing email impersonated a known contact at the legitimate vendor and replied into an active thread about past-due invoices. The body was brief, professional, and urgent:

> "I am resending the invoices and would like to inform you that there have been changes to our bank details. Invoices #30034, #29962, #29904, and #30092 are attached and have been updated with the new bank information. Kindly process all payments using the new details provided in the attached invoices."

Four PDF attachments accompanied the message, each named after a real invoice number. The signature block replicated the legitimate vendor's branding, complete with address, phone numbers, and a link to the real vendor website.

The FBI IC3 reported that Business Email Compromise (BEC) losses exceeded $2.9 billion in 2024 (FBI IC3 Internet Crime Report). Invoice diversion, where attackers redirect legitimate payment flows to fraudulent accounts, is one of the most financially damaging subtypes.

Why Three Gateways Said "Clean"

The message traversed Microsoft 365, Barracuda Email Security Gateway, and Mimecast before landing in the victim's Google Workspace inbox. At every hop, authentication results came back positive.

SPF: Passed. The sending IP (209[.]222[.]82[.]149) belonged to Barracuda's legitimate outbound relay infrastructure. The attacker appears to have sent the message from a compromised mailbox within the real vendor's Microsoft 365 tenant, which meant the email genuinely originated from legitimate infrastructure.

DKIM: Passed at the Mimecast hop. At the Google hop, DKIM returned "neutral" due to a body hash mismatch from gateway modifications during transit. This is a common result in multi-gateway environments, so it did not trigger a block.

ARC: Preserved across all hops. The Authentication-Results chain showed consistent pass signals from Microsoft through Barracuda through Mimecast to Google.

According to the Verizon 2024 Data Breach Investigations Report, the human element is involved in 68% of breaches. In this case, the human element was the intended victim, and the attack was designed so that every automated check would give them no reason to hesitate.

See Your Risk: Calculate how many threats your SEG is missing

The CC Field Told the Real Story

The most revealing detail was not in the message body. It was in the CC line.

The email was sent to a legitimate employee at the victim organization. But the CC field contained four addresses, all on the lookalike domain: Jharrison@technlform[.]com, accounting@technlform[.]com, bharrison@technlform[.]com, and Cfortner@technlform[.]com.

This is a reply-hijacking technique (MITRE ATT&CK T1566.001: Spearphishing Attachment). By CC'ing addresses on the lookalike domain, the attacker ensured that any reply-all response from the victim (confirming receipt, asking questions, or forwarding internally) would also go to the attacker. The CC'd names matched real employees at the legitimate vendor, adding another layer of credibility. Meanwhile, the attacker was also masquerading as a legitimate process (T1036.005: Match Legitimate Name or Location) by using real employee names and invoice numbers.

This is a common pattern in vendor email compromise, and it is the reason that checking only the "From" address is insufficient. The entire header set matters.

What Caught It When Authentication Could Not

This email was a first-time sender to the target mailbox. Despite the existing thread context (which the attacker had either intercepted or reconstructed), the sending address had never before appeared in the recipient's communication history.

That behavioral signal, combined with the newly registered domain age and the financial instruction content, is exactly what Adaptive AI detection is designed to surface. Authentication protocols answered the question "Is this server authorized for this domain?" with a yes. But the more important question, "Has this sender ever contacted this recipient before, and is this domain trustworthy?", requires behavioral context that traditional gateways do not maintain.

Across the IRONSCALES customer base of 1,921 organizations, first-time sender anomalies combined with financial instruction keywords are among the highest-confidence BEC indicators. SEGs miss an average of 67.5 phishing emails per 100 mailboxes per month (IRONSCALES, 2025 SEG analysis). Attacks like this one, carrying no malicious payload and passing every authentication check, are the primary drivers of that gap.

Indicators of Compromise

Stopping Invoice Diversion Before the Wire Clears

This attack required no malware, no credential harvesting page, and no malicious URL. The payload was a PDF with a bank account number. That makes it invisible to sandboxes, URL scanners, and reputation engines.

Defending against this pattern requires a different approach:

1. Enforce out-of-band verification for all payment changes. Call the vendor using a number from your records, not the email. The CISA phishing guidance reinforces this as a baseline control.
2. Flag first-time senders in financial workflows. Any email requesting banking changes from an address that has never contacted your AP team before should trigger manual review, regardless of authentication results.
3. Monitor for lookalike domain registration. Domain monitoring services can alert you when typosquat variants of your organization's name or your key vendors' names are registered. The Microsoft Digital Defense Report 2024 notes that lookalike domains remain a top impersonation technique.
4. Inspect the full header, not just the From line. CC and Reply-To fields are where attackers hide their interception infrastructure. According to IBM's 2024 Cost of a Data Breach Report, the average cost of a BEC-related breach reached $4.88 million globally.
5. Layer behavioral AI on top of authentication. SPF, DKIM, and DMARC answer "Is this authorized?" not "Is this safe?" Behavioral analysis that considers sender history, domain age, content intent, and communication patterns catches what authentication cannot.

One missing letter. Four invoices. A single behavioral signal made the difference.