TL;DR A message arriving from a compromised tax-law firm account used a Mimecast login redirect as the visible CTA, with the actual payload hosted on Azure Blob Storage and DigitalOcean Spaces under attacker-controlled subdomain names embedding the firm's brand. The body explicitly declared the link would work for anyone, removing the recipient-specific personalization that might make a credential request plausible. Despite a Mimecast spam score of 132 and a multi-hop redirect chain landing on cloud object storage, automated link scanners returned clean verdicts on all three links. The attack illustrates how cloud infrastructure laundering defeats reputation-based detection even when individual signals are present.
Severity: High Phishing Credential Harvesting Account Takeover MITRE: T1566.002 MITRE: T1078 MITRE: T1598.003
The message arrives from a compromised tax-law firm account. The shared-file template is clean. The Mimecast login button is the sole call to action. One sentence in the body explains the access model: "This link will work for anyone."
That sentence is the tell.
The Compromised Account as a Delivery Mechanism
A compromised professional-services account changes the threat calculus in a specific way. The sender domain, registered in 2000, has two decades of legitimate email history. The sender address maps to a real individual at a real firm. When the message passed through the recipient organization's Mimecast gateway, the domain reputation, the authentication record, and the prior sending history all pointed toward a legitimate contact.
Account takeover attacks against professional-services firms, particularly tax and legal practices, are valuable to attackers precisely because these firms maintain ongoing correspondence with a wide range of businesses. A compromised law firm account gives an attacker access to an established sender relationship with any organization that has ever exchanged email with that firm. The attacker does not need to build reputation from scratch. It is already there.
The authentication picture in this incident reflects this: an earlier relay hop showed DKIM pass and DMARC pass for the sender domain, consistent with a message that genuinely originated from the firm's authorized Microsoft 365 tenant. The ARC chain preserved those assertions through the Mimecast relay. The final-hop failures (SPF permerror, DKIM body-hash fail, DMARC fail, action=oreject) are attributable to Mimecast's relay rewriting, not to spoofing. The message was legitimately from the compromised account.
The Three-Layer Redirect Chain
The redirect chain in this attack uses three distinct services, each of which handles a different segment of the delivery path:
Layer one: Mimecast login redirect. The visible CTA points to login-us[.]mimecast[.]com with a long JWT-encoded token path referencing a "cybergraph-report." Mimecast's login domain is a legitimate endpoint used for authenticated content delivery, which gives the initial CTA link a clean reputation and the visual appearance of a security-vendor-endorsed experience.
Layer two: Mimecast link-protection rewrite. A second link in the message body (url[.]us[.]m[.]mimecastprotect[.]com) is the rewritten form of the actual destination, where domain=[firmname]pdf[.]blob[.]core[.]windows[.]net is visible in the URL parameter. This parameter reveals the final destination before the link is followed: Azure Blob Storage under a subdomain that embeds the firm's name in the blob container identifier.
Layer three: Cloud object storage. The actual credential page is hosted on blob[.]core[.]windows[.]net, a Microsoft-operated domain serving Azure Blob Storage content. A parallel reference in the message HTML points to scan202620202026[.]sfo3[.]digitaloceanspaces[.]com, an attacker-controlled DigitalOcean Spaces bucket. Both are legitimate cloud-provider domains. Neither will trigger a blocklist.
This technique is accurately described as cloud laundering: the attacker's payload is hosted on infrastructure whose reputation belongs to Microsoft and DigitalOcean, not to the attacker. Any scanner evaluating the hosting domain rather than the page content will return a clean verdict, as the automated scanners did in this incident.
See Your Risk: Calculate how many threats your SEG is missing
The Publicly Accessible Link as a Campaign Signal
The phrase "This link will work for anyone" is more than a social-engineering failure. It is a technical indicator. Legitimate shared-document systems, including Mimecast's own content delivery features, generate access-controlled links tied to the recipient's authenticated identity. A document that requires no authentication to open is not being shared securely; it is being made publicly accessible.
Attackers use public links because their credential-harvest page needs to accept input from any visitor who arrives at the URL, not just from a specific authenticated user. The mass-distribution implication is also relevant: a publicly accessible link allows the same URL to be sent to thousands of recipients without generating unique access tokens, reducing the operational overhead of the campaign. The pattern is consistent with phishing operations designed for breadth rather than precision.
Combined with the absence of recipient-specific personalization in the message body (no name, no account reference, no document title meaningful to the recipient), the public-link declaration indicates this was a broad campaign using a compromised account as the delivery vehicle, not a targeted attack on a specific individual.
What Mimecast Score 132 Means and Why It Was Overridden
The message carried X-Mimecast-Spam-Score: 132, which is an extremely high value and reflects that the Mimecast gateway's heuristics identified multiple characteristics consistent with phishing or spam. Despite this score, the message proceeded through the delivery chain with a relatively low Microsoft Composite Content Level, and the final destination links were returned as "Clean" by the link-inspection layer.
This divergence illustrates a known failure mode in layered security: individual components may generate accurate risk signals that are not acted on when the final disposition decision is made. A spam score of 132 is a meaningful signal. It did not prevent delivery.
The MITRE ATT&CK framework classifies this delivery pattern as Spearphishing Link (T1566.002) with cloud infrastructure abuse. Credential harvesting via cloud-hosted pages is increasingly the dominant form of this attack because it removes the attacker-controlled domain as a detection surface entirely. CISA recommends treating any unexpected shared-file notification from a professional-services contact as requiring out-of-band verification before clicking. The Verizon DBIR 2026 attributes a significant proportion of credential compromises to phishing via trusted third-party senders. The Microsoft Digital Defense Report 2024 identifies cloud storage abuse as a top phishing infrastructure pattern, with blob.core.windows.net specifically noted as a common attacker-controlled hosting location.
The reusable detection principle: any shared-file link that (a) comes from a sender with no prior relationship to the shared content, (b) explicitly states it works for anyone, and (c) resolves to cloud object storage rather than a named document-management platform deserves to be treated as a credential-harvest attempt until proven otherwise.
---
| Type | Indicator | Context |
|---|
| URL | hxxps://login-us[.]mimecast[.]com/u/login/?gta=apps&link=cybergraph-report/[token] | Mimecast login domain used as initial CTA redirect layer |
| Domain | [redacted-firm-name][.]blob[.]core[.]windows[.]net | Azure Blob Storage; attacker-controlled container embedding compromised firm name; final credential-page host |
| Domain | scan202620202026[.]sfo3[.]digitaloceanspaces[.]com | DigitalOcean Spaces; attacker-controlled bucket referenced in message HTML |
| URL | hxxps://url[.]us[.]m[.]mimecastprotect[.]com/s/[token]?domain=blob[.]core[.]windows[.]net | Mimecast link-protection rewrite revealing Azure Blob destination |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
