TL;DR A finance employee received a message whose authentication read clean: SPF pass, compauth pass, DMARC best-guess pass. Those results described the last hop, not the origin. The message was injected from a Netherlands host that failed SPF, then relayed through Microsoft outbound protection, which re-stamped it as a pass. The visible link impersonated an aerospace manufacturer while the true href ran through a Japanese open redirect to a credential-harvest page in Brazil. Themis auto-resolved it as phishing at 84 percent confidence across five mailboxes at two organizations. Detection came from behavior and link inspection, not authentication headers.
Severity: High Credential Harvesting Phishing Brand Impersonation MITRE: T1566.002 MITRE: T1566 MITRE: T1656 MITRE: T1204.001

The email cleared SPF. That was the problem.

An accounts receivable clerk at a property management firm opened a message with a curt subject line: a vendor name followed by a long hash-like token. The authentication results stapled to it read clean. SPF pass. Composite authentication pass. DMARC best-guess pass. Every signal a downstream filter leans on to decide this one is fine said exactly that.

The signals were describing the wrong thing. They described the last server that touched the message, not the server that created it. Themis, the IRONSCALES agentic AI SOC analyst, ignored the headers and read the behavior instead. It auto-resolved the message as phishing at 84 percent confidence across five mailboxes at two organizations before anyone clicked.

Here is what the pass concealed. The message was injected from a rented host in the Netherlands that failed SPF, then relayed through Microsoft outbound protection, which re-stamped it as a pass on the way to the inbox. The visible link pointed at an aerospace manufacturer. The click would have landed on a credential-harvesting page in Brazil, reached through an open redirect parked on a Japanese domain.

Injected in one country. Laundered through a trusted relay. Landing in another.

The Header Said Pass. The First Hop Said Fail.

Sender Policy Framework (SPF) checks the connecting IP against the list of servers a domain authorizes to send on its behalf. It is evaluated per hop. That per-hop detail is the whole story here.

The message first arrived at a Microsoft edge from a hosting IP whose reverse DNS resolved to a bulk provider. SPF failed on that hop: the sender domain did not designate that IP as a permitted sender. The message carried no ARC chain and no DKIM signature.

Then it moved. The sender domain is hosted on Microsoft infrastructure, and its SPF record authorizes Microsoft outbound ranges. So once the message was relayed through a Microsoft outbound protection node, the connecting IP on the final hop belonged to Microsoft, and Microsoft is on the authorized list. SPF passed. ARC passed. Composite authentication passed. DMARC, with no published policy on the sender domain, resolved to a best-guess pass.

Nothing about the content changed. The message inherited a passing result the moment it routed through infrastructure the domain trusts. This is authentication laundering: send from somewhere unauthorized, bounce through somewhere authorized, arrive wearing the second identity. DKIM binds a signature to the message rather than the route, so it would have caught this. The sender published none.

One Link, Two Destinations

The body was three lines: a vendor "sent a confidential file for inspection," the sender "awaits your response," and a signature that did not match the envelope address. First-time sender, no prior correspondence, a finance recipient. Exactly the role attackers target for payment and credential access.

The single link is where the craft lived. The text a reader saw was a long, official-looking URL on a real aerospace manufacturer's domain, complete with a plausible path (/adobe-doc/securelinks.proctectionoffice/file/) that even carried a misspelling of "protection office." That was display text only.

The actual href went somewhere else entirely. It called an open redirect on a legitimate Japanese domain, redirect.php?page=, and handed that redirect a final destination: an Adobe-themed credential-harvest page hosted on a Brazilian domain. The brand shown to the human and the destination handed to the browser were never the same address.

Why not just send from the aerospace brand's own domain? Because that domain publishes SPF, DKIM, and DMARC, so spoofing it would fail alignment. The attacker did not spoof the brand at the protocol layer at all. They put the brand in the visible text, where no authentication protocol looks, and pointed the click at borrowed infrastructure. Visible-text impersonation is the workaround for a brand that authenticates properly.

See Your Risk: Calculate how many threats your SEG is missing

Three Countries, One Delivery

Follow the geography and the design becomes obvious. Composing host in one country, sender domain on a cloud tenant, open redirect in a second country, harvest page in a third. Each hop launders reputation from the one before it.

The open redirect is the cheapest and most durable trick in the chain. The redirector belongs to a real, unrelated organization with a clean reputation and an aged domain, so URL reputation engines wave it through. The attacker did not have to compromise that site. They only abused a redirect endpoint that accepts an arbitrary destination in a query parameter. According to the Microsoft Digital Defense Report 2024, attackers increasingly chain trusted intermediaries to defeat the reputation shortcuts email filters rely on.

Themis did not stop at the redirector. It followed the chain to the final destination, scanned the landing page, and returned a malicious verdict on both the redirect URL and the page it resolved to. The 84 percent phishing confidence carried two labels that summarize the intent: credential theft and VIP recipient. Community signal reinforced it, because this pattern had been reported before by other organizations in the IRONSCALES network. This is where Adaptive AI email security earns its keep: the decision came from where the link led and how the sender behaved, not from a header that had already been laundered.

Mapping the Technique

The chain maps cleanly to MITRE ATT&CK. The delivery is Spearphishing Link (T1566.002), a subtechnique of Phishing (T1566), paired with impersonation and user execution of a malicious link. The National Institute of Standards and Technology defines phishing around exactly this deception: a message built to look legitimate to trigger an action. That action was a single click authentication could not evaluate, because SPF, DKIM, and DMARC verify who relayed a message, never where its links resolve.

Indicators From the Chain

All indicators are defanged. Do not interact with them.

TypeIndicatorContext
Sender (envelope)eric@ecoworks[.]mtEnvelope address, display name mismatch, no DKIM, no DMARC
Origin IP185[.]161[.]208[.]44Netherlands bulk-hosting provider, SPF fail on first hop
Display-text lurehxxps://www[.]wiprolauak[.]com/notre-histoire/about-us/adobe-doc/securelinks.proctectionoffice/file/id:Visible text only, impersonating a legitimate aerospace manufacturer; not the real href
Redirectorhxxps://www[.]kerc[.]or[.]jp/redirect.php?page=&token=Abused open redirect on a legitimate Japanese domain
Landing pagehxxps://prvinformatica[.]com[.]br/about/adobe_access[.]htmlAdobe-themed credential-harvest page

Closing the Visible-Text Gap

This message passed every authentication check and still got quarantined. That gap between authenticated and safe is where security teams should focus.

Inspect the href, not the header. SPF, DKIM, and DMARC answer who relayed a message, not where its links go. Compare display text against the actual href on every message, and treat any mismatch as hostile.

Follow redirects to the final destination. A clean first domain means nothing when it forwards elsewhere, and any control that stops at the first URL is trivial to defeat with an open redirect. CISA network-defender phishing guidance stresses inspecting the full path a user would travel. IRONSCALES credential harvesting protection resolves the whole chain and scans the landing page rather than trusting the link text.

Do not treat cloud-relayed mail as pre-vetted. Passing through a major provider's outbound range is a routing detail, not a safety guarantee. Layer behavioral analysis on top so a laundered SPF pass is not the final word. That is the point of Microsoft 365 augmentation: the native stack passed this message, and a second layer caught it.

Weight first-contact finance mail. A first-time sender, a mismatched display name, and an urgent request aimed at accounts receivable is a recognizable Business Email Compromise (BEC) adjacent profile. According to the IBM Cost of a Data Breach Report 2024, phishing and stolen credentials remain among the most common and most expensive initial access vectors. One harvested finance credential costs far more than inspecting one more link.

Authentication told the recipient this message was fine. The link told a different story. Read the one that matters.

Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.

Related attacks

Attack What happened
The Button Text Was the Weapon: Unicode RTL Obfuscation Inside a DocuSign LureAttackers embedded Unicode right-to-left marks directly inside a CTA button label to scatter the string for NLP scanners.
The DocuSign Lure That Used Google as a Trust Shield (And Encoded Your Email in the Link)A DocuSign phishing email hid its harvest domain behind a google.com redirect and encoded the recipient's exact email address into the link as base64.
A Phishing Link Wearing Two Security Vendors' Badges: Inside a Benefits-Enrollment Credential LureA benefits-enrollment lure wrapped its payload link inside two legitimate email-security rewrite services.
Sign Here, Get Phished: Inside an Adobe Sign Lure With a Multi-Hop Redirect to Credential TheftAn Adobe Sign e-signature lure routed recipients through a multi-hop redirect chain ending at fameklinik[.]com.
When the Safety Wrapper Becomes the Disguise: Brazilian NF-e Phishing via Safe Links RewriteA Portuguese-language invoice lure authenticated through a compromised Brazilian domain used is.gd to hide its payload.

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.