TL;DR An email impersonating a OneDrive file-sharing notification used an embedded PNG image to mimic a Microsoft 365 shared-file card with a blue 'Open' button. The image itself was clean (no steganography, no embedded payloads), but it was wrapped in an anchor tag pointing to hxxps://usafricalive[.]com/apps/index.html. The landing page impersonated a 'Secure 365 workspace verification' flow with Microsoft branding. The sender domain showed DKIM/SPF passes at origin but mixed results at later relay hops due to security gateway forwarding. The attacker relied entirely on visual deception: the PNG looked like a Microsoft sharing notification, and the landing page looked like a Microsoft login.
Severity: High Credential Harvesting Brand Impersonation Phishing MITRE: T1566.002 MITRE: T1204.001 MITRE: T1056.003
The email looked like a standard Microsoft 365 file-sharing notification. A blue "Open" button. A document icon. A message indicating that someone had shared a file titled "Financial Report Q4." A corporate name in the footer to reinforce legitimacy. The layout matched what any Microsoft 365 user would expect when a colleague shares a OneDrive document.
None of it was real. The entire notification was a PNG image.
The image (approximately 35 KB, MD5: cacef25b3ce91130c7c89f8bed8b5198) was structurally clean. No steganographic payloads, no appended executables, no embedded URLs in PNG metadata chunks. It was a standard image file that happened to be a pixel-perfect recreation of a Microsoft sharing card. The attack did not live inside the image. It lived in the HTML anchor tag that wrapped the image, pointing to hxxps://usafricalive[.]com/apps/index.html.
The Click Goes Somewhere Else
The destination URL resolved directly to the page with no intermediate redirect chain. The landing page presented a "Secure 365 workspace verification" widget with a Microsoft 365 tile icon and branding elements designed to impersonate a Microsoft authentication flow. The page was hosted on usafricalive[.]com, a domain registered through GoDaddy with a creation date of 2020. Name servers pointed to ns1[.]usafricaonline[.]com. The domain had an SPF TXT record and a DKIM-like TXT entry at default._domainkey but published no DMARC record. The A record resolved to 63[.]250[.]34[.]194. Reverse PTR did not match the domain.
Automated risk scoring assessed the page as HIGH risk based on the direct impersonation of Microsoft 365 verification UI and the credential-capture intent visible in the page structure.
The separation between the visual lure (the PNG) and the technical payload (the anchor URL) is what makes image-based phishing effective against content scanners. Text-based analysis tools parse the HTML body, looking for suspicious strings, social engineering language, and brand impersonation in the visible text. When the social engineering message is rendered as pixels inside an image, there is no text to parse. The scanner sees a PNG attachment with a link. Without OCR or visual AI analysis, the social engineering content is invisible.
The Sender and the Authentication Puzzle
The apparent sender identity referenced a corporate contact at a legitimate company. At the earliest relay hops, DKIM and SPF passed for the sender's domain. However, the message traversed multiple security gateways, including Microsoft/Office365 protection frontends and a Trend Micro CAS relay (repost-eu[.]tmcas[.]trendmicro[.]com). At the final inbound MX, SPF showed a softfail for IP 139[.]138[.]59[.]32 (resolving to esa2[.]hc3244-53[.]iphmx[.]com), and some DKIM checks reported failures. ARC showed mixed pass/fail states across iterations.
This mixed authentication pattern is characteristic of messages forwarded through multiple security gateways. Each hop can break SPF alignment by changing the sending IP, and message modifications by CDR (Content Disarm and Reconstruction) or link-rewriting engines can invalidate DKIM signatures. The result is that a message that was properly authenticated at origin arrives with degraded authentication results, which some gateways may treat as less suspicious than an outright fail.
The important takeaway is that the mixed authentication state does not mitigate the clear phishing content. Whether the sender's account was compromised or the message was injected through a different mechanism, the body contains a malicious link targeting credentials.
See Your Risk: Calculate how many threats your SEG is missing
Image Lures and the Content-Scanning Blind Spot
The 2024 Verizon DBIR found that the human element is involved in 68% of breaches, and credential theft remains one of the top initial access vectors. Image-based phishing specifically targets the gap between what a human sees and what an automated scanner can analyze. The recipient sees a familiar Microsoft sharing card and clicks. The scanner sees a clean PNG and a URL that may or may not be in its blocklist.
Themis flagged this message based on the mismatch between the apparent sender domain and the link destination domain, the first-time sender pattern, and visual analysis signals from the landing page screenshot that identified Microsoft 365 brand impersonation. Community intelligence across the IRONSCALES network surfaced usafricalive[.]com as part of an active credential-harvesting campaign. Across the network, 67.5 phishing emails per 100 mailboxes per month bypass traditional secure email gateways, and image-based lures are a growing delivery mechanism precisely because they evade text-based content analysis.
This attack maps to MITRE ATT&CK T1566.002 (Spearphishing Link) for the email delivery of a malicious URL, T1204.001 (User Execution: Malicious Link) for the required click action, and T1056.003 (Input Capture: Web Portal Capture) for the credential-harvesting landing page.
Building Detection Around Visual Deception
Defending against image-based credential phishing requires controls that do not depend on parsing text content from the email body. URL reputation analysis must evaluate anchor destinations independently of anchor content, meaning even when the anchor wraps an image rather than text, the destination should be inspected. Landing page analysis should capture and evaluate the visual content of linked pages for brand impersonation patterns. And sender-destination domain mismatches (where the apparent sender and the link destination have no relationship) should increase suspicion regardless of authentication results.
User training should emphasize the habit of hovering over links and images before clicking. In this case, hovering over the "Open" button would have revealed usafricalive[.]com rather than any Microsoft domain. That single check, if practiced consistently, defeats this entire attack chain.
The file-sharing notification is one of the most effective phishing pretexts in circulation because it triggers an immediate, reflexive response: someone shared something with me, and I need to open it. When the notification looks exactly like the real thing, down to the pixel, and the only difference is the URL behind the click, the margin between a clean inbox and a compromised account is vanishingly small.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Malicious URL | hxxps://usafricalive[.]com/apps/index.html | Credential-harvesting landing page impersonating Microsoft 365 |
| Landing Page IP | 63[.]250[.]34[.]194 | A record for usafricalive.com |
| Attacker Domain | usafricalive[.]com | Registered 2020 via GoDaddy, no DMARC, PTR mismatch |
| Image Lure MD5 | cacef25b3ce91130c7c89f8bed8b5198 | PNG mimicking Microsoft 365 shared-file card |
| Relay IP | 139[.]138[.]59[.]32 | esa2.hc3244-53.iphmx.com, SPF softfail at final MX |
| Relay | repost-eu[.]tmcas[.]trendmicro[.]com | Trend Micro CAS gateway in relay chain |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
