TL;DR An attacker impersonating a luxury fashion brand sent a document-access lure through a compromised New Zealand portal account using Mandrill as the delivery ESP. The display URL in the message resolved to NXDOMAIN, acting as a decoy while the real destination, a domain registered in October 2024 through an Indonesian privacy registrar, sat behind two redirect layers: Mandrill's own click-tracking URL and a Microsoft Safe Links wrapper. By the time a URL scanner attempted to follow the chain, it landed on a credential-harvest login page under a freshly registered domain with no prior reputation. Every authentication check passed. The quarantine covered one mailbox.
Severity: High Phishing Credential Harvesting Esp Abuse MITRE: T1566.002 MITRE: T1036.005 MITRE: T1598.003
A document-access notification arrives from what appears to be a New Zealand business portal account. The sender authenticates cleanly: SPF pass, DKIM pass, DMARC pass, Microsoft compauth pass. The email body contains a single call to action: "Open My Account," linked to what looks like a luxury fashion brand's account portal. The display URL is for shop.maisonsantos[.]lu. When you check that URL separately, it resolves to NXDOMAIN.
The actual destination is somewhere else entirely.
The Redirect Chain That Hid the Payload
The visible link was a decoy. The href behind "Open My Account" was a Microsoft Safe Links URL wrapping a Mandrill click-tracking URL, which in turn pointed to secure.testindoconsultant[.]com. That domain was registered on October 29, 2024, through CV. Rumahweb Indonesia, with registrant contact details masked entirely behind "Domain Data Guard," a privacy service operating out of a Yogyakarta post office box.
The chain worked in the attacker's favor at every step. Safe Links rewrote the URL and checked it at delivery time. The Mandrill tracking hop gave that check a trusted Mailchimp Transactional domain to evaluate rather than the attacker's infrastructure. The final destination, secure.testindoconsultant[.]com, was only weeks old and had no threat-intelligence coverage at the time of delivery. The path ended at a fake login page designed to harvest the recipient's account credentials. A scanner following the chain had nothing to detonate against.
The display URL mismatch, showing a luxury brand's account portal while the href pointed elsewhere, served a separate function: it provided visual legitimacy for a recipient scanning the message body, while also making it harder for an automated system to correlate the shown URL with the real destination.
How a Compromised ESP Account Becomes the Delivery Layer
The message was relayed through Mandrill (Mailchimp Transactional), arriving from IP 198.2.179.16 (mail179-16.suw41.mandrillapp.com). This is ESP abuse: an attacker using a legitimate email infrastructure provider, either via a compromised account or a lightly-vetted new one, to send phishing with the inherited IP reputation of a major commercial ESP.
Mandrill is a transactional email platform with high deliverability because legitimate businesses depend on it to send receipts, password resets, and account notices. Its outbound IP ranges are on allowlists at most organizations and carry positive reputation scores with major inbox providers. When an attacker routes a phishing campaign through Mandrill, the gateway sees a trusted commercial sender, not a newly spun-up VPS.
The sending account itself was registered to a New Zealand web portal, a compromised-legitimate account whose credentials the attacker had obtained before this campaign. All authentication passed precisely because the account was real and the ESP was real.
See Your Risk: Calculate how many threats your SEG is missing
The Lure Anatomy: Document, Urgency, Generic Greeting
The message body referenced a document with a label structured as a business reference number, identifying it as an "Addendum" requested by "Legal." The intent was to create a low-friction, low-suspicion reason for the recipient to click through to an account portal, the kind of routine administrative action that does not trigger a phishing mental model in a busy professional.
The greeting used the recipient's mailbox username directly, extracted from the target email address. This is not spearphishing in the research-intensive sense; it is opportunistic personalization using the information already present in the target address. The effect on the recipient is the same: a message that feels addressed to them specifically, rather than a mass blast.
The impersonated brand, Maison Santos, is a European luxury goods label. The impersonation did not require the brand to be widely recognized. A recipient unfamiliar with the brand might click simply to understand what account they allegedly hold there. A recipient who recognizes the brand as out of place might still click out of curiosity. Either way, the attacker wins the click.
What Behavioral Analysis Caught That Authentication Could Not
IRONSCALES Adaptive AI flagged this message at 50% confidence. The authentication headers were clean. The ESP reputation was positive. The visible URL referenced a known domain, even if that domain was dead. A gateway evaluating only these signals would have delivered the message without further scrutiny.
The behavioral detection came from a combination of factors that do not exist in any single header: a compromised sender with no prior sending relationship to this recipient, a display URL whose domain resolves to NXDOMAIN, and a final destination reachable only by unwrapping two redirect layers. The credential harvesting destination carried freshly-registered WHOIS data, an Indonesian privacy proxy, and no email authentication records of its own. None of those are visible in the authentication headers. All of them are visible to a detection stack that follows the full chain.
Defensive Posture for Redirect-Layer Credential Harvests
The structural lesson from this attack is that the URL visible in a message body is not the URL that matters. In any phishing delivery using an ESP's own click-tracking infrastructure, or a Safe Links wrapper, or both in series, the meaningful URL is at the end of the chain, and that is the one that must be evaluated.
Full-chain URL detonation. Any URL inspection that stops at an intermediate hop, an ESP tracker or a security vendor's rewrite, has not completed the inspection. The final destination's domain age, registrant privacy, and hosting context are the signals that distinguish a legitimate transactional link from an attacker-built landing page.
Display URL / href correlation. When the text of a hyperlink shows a domain that does not match the actual href destination, even when both appear superficially legitimate, that mismatch is a detection signal. A dead display URL combined with a live attacker-controlled destination is an especially high-confidence indicator.
Sender relationship baseline. The compromised New Zealand account had no prior communication history with the target mailbox. A first-contact message from an authenticated sender, carrying a document-access lure and a redirect-wrapped URL, represents a risk profile requiring deeper inspection regardless of authentication outcome.
The Verizon DBIR 2026 identifies credential theft as the leading initial access technique in confirmed breaches. The MITRE ATT&CK framework classifies this delivery pattern as Spearphishing Link (T1566.002) with sub-technique T1036.005 for masquerading via display URL. CISA guidance specifically calls out URL mismatch as a phishing indicator to check before clicking any link. The Microsoft Digital Defense Report 2024 notes that adversaries increasingly route phishing through legitimate cloud and ESP infrastructure to avoid network-level blocks, making endpoint-level and behavioral detection essential.
When display URL and real destination diverge, and when the real destination sits behind a privacy-masked registration made weeks before the campaign, the authentication headers are the wrong thing to trust.
---
| Type | Indicator | Context |
|---|
| Domain | testindoconsultant[.]com | Attacker-registered credential-harvest domain (registered 2024-10-29, Rumahweb Indonesia, privacy-masked) |
| Subdomain | secure.testindoconsultant[.]com | Actual phishing landing page destination |
| IP | 46.247.108.197 | Hosting IP for attacker credential-harvest domain |
| URL | hxxps://secure.testindoconsultant[.]com/ | Final destination behind Mandrill + Safe Links redirect chain |
| Domain | maisonsantos[.]lu | Impersonated luxury brand display URL (NXDOMAIN at delivery) |
| ESP relay | mail179-16.suw41.mandrillapp[.]com | Mandrill (Mailchimp Transactional) relay used for delivery |
| IP | 198.2.179.16 | Mandrill sending IP |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
