The message arrives from a compromised tax-law firm account. The shared-file template is clean. The Mimecast login button is the sole call to action. One sentence in the body explains the access model: "This link will work for anyone."
That sentence is the tell.
A compromised professional-services account changes the threat calculus in a specific way. The sender domain, registered in 2000, has two decades of legitimate email history. The sender address maps to a real individual at a real firm. When the message passed through the recipient organization's Mimecast gateway, the domain reputation, the authentication record, and the prior sending history all pointed toward a legitimate contact.
Account takeover attacks against professional-services firms, particularly tax and legal practices, are valuable to attackers precisely because these firms maintain ongoing correspondence with a wide range of businesses. A compromised law firm account gives an attacker access to an established sender relationship with any organization that has ever exchanged email with that firm. The attacker does not need to build reputation from scratch. It is already there.
The authentication picture in this incident reflects this: an earlier relay hop showed DKIM pass and DMARC pass for the sender domain, consistent with a message that genuinely originated from the firm's authorized Microsoft 365 tenant. The ARC chain preserved those assertions through the Mimecast relay. The final-hop failures (SPF permerror, DKIM body-hash fail, DMARC fail, action=oreject) are attributable to Mimecast's relay rewriting, not to spoofing. The message was legitimately from the compromised account.
The redirect chain in this attack uses three distinct services, each of which handles a different segment of the delivery path:
Layer one: Mimecast login redirect. The visible CTA points to login-us[.]mimecast[.]com with a long JWT-encoded token path referencing a "cybergraph-report." Mimecast's login domain is a legitimate endpoint used for authenticated content delivery, which gives the initial CTA link a clean reputation and the visual appearance of a security-vendor-endorsed experience.
Layer two: Mimecast link-protection rewrite. A second link in the message body (url[.]us[.]m[.]mimecastprotect[.]com) is the rewritten form of the actual destination, where domain=[firmname]pdf[.]blob[.]core[.]windows[.]net is visible in the URL parameter. This parameter reveals the final destination before the link is followed: Azure Blob Storage under a subdomain that embeds the firm's name in the blob container identifier.
Layer three: Cloud object storage. The actual credential page is hosted on blob[.]core[.]windows[.]net, a Microsoft-operated domain serving Azure Blob Storage content. A parallel reference in the message HTML points to scan202620202026[.]sfo3[.]digitaloceanspaces[.]com, an attacker-controlled DigitalOcean Spaces bucket. Both are legitimate cloud-provider domains. Neither will trigger a blocklist.
This technique is accurately described as cloud laundering: the attacker's payload is hosted on infrastructure whose reputation belongs to Microsoft and DigitalOcean, not to the attacker. Any scanner evaluating the hosting domain rather than the page content will return a clean verdict, as the automated scanners did in this incident.
See Your Risk: Calculate how many threats your SEG is missing
The phrase "This link will work for anyone" is more than a social-engineering failure. It is a technical indicator. Legitimate shared-document systems, including Mimecast's own content delivery features, generate access-controlled links tied to the recipient's authenticated identity. A document that requires no authentication to open is not being shared securely; it is being made publicly accessible.
Attackers use public links because their credential-harvest page needs to accept input from any visitor who arrives at the URL, not just from a specific authenticated user. The mass-distribution implication is also relevant: a publicly accessible link allows the same URL to be sent to thousands of recipients without generating unique access tokens, reducing the operational overhead of the campaign. The pattern is consistent with phishing operations designed for breadth rather than precision.
Combined with the absence of recipient-specific personalization in the message body (no name, no account reference, no document title meaningful to the recipient), the public-link declaration indicates this was a broad campaign using a compromised account as the delivery vehicle, not a targeted attack on a specific individual.
The message carried X-Mimecast-Spam-Score: 132, which is an extremely high value and reflects that the Mimecast gateway's heuristics identified multiple characteristics consistent with phishing or spam. Despite this score, the message proceeded through the delivery chain with a relatively low Microsoft Composite Content Level, and the final destination links were returned as "Clean" by the link-inspection layer.
This divergence illustrates a known failure mode in layered security: individual components may generate accurate risk signals that are not acted on when the final disposition decision is made. A spam score of 132 is a meaningful signal. It did not prevent delivery.
The MITRE ATT&CK framework classifies this delivery pattern as Spearphishing Link (T1566.002) with cloud infrastructure abuse. Credential harvesting via cloud-hosted pages is increasingly the dominant form of this attack because it removes the attacker-controlled domain as a detection surface entirely. CISA recommends treating any unexpected shared-file notification from a professional-services contact as requiring out-of-band verification before clicking. The Verizon DBIR 2026 attributes a significant proportion of credential compromises to phishing via trusted third-party senders. The Microsoft Digital Defense Report 2024 identifies cloud storage abuse as a top phishing infrastructure pattern, with blob.core.windows.net specifically noted as a common attacker-controlled hosting location.
The reusable detection principle: any shared-file link that (a) comes from a sender with no prior relationship to the shared content, (b) explicitly states it works for anyone, and (c) resolves to cloud object storage rather than a named document-management platform deserves to be treated as a credential-harvest attempt until proven otherwise.
---
| Type | Indicator | Context |
|---|---|---|
| URL | hxxps://login-us[.]mimecast[.]com/u/login/?gta=apps&link=cybergraph-report/[token] | Mimecast login domain used as initial CTA redirect layer |
| Domain | [redacted-firm-name][.]blob[.]core[.]windows[.]net | Azure Blob Storage; attacker-controlled container embedding compromised firm name; final credential-page host |
| Domain | scan202620202026[.]sfo3[.]digitaloceanspaces[.]com | DigitalOcean Spaces; attacker-controlled bucket referenced in message HTML |
| URL | hxxps://url[.]us[.]m[.]mimecastprotect[.]com/s/[token]?domain=blob[.]core[.]windows[.]net | Mimecast link-protection rewrite revealing Azure Blob destination |
| Attack | What happened |
|---|---|
| Sign Here, Get Phished: Inside an Adobe Sign Lure With a Multi-Hop Redirect to Credential Theft | An Adobe Sign e-signature lure routed recipients through a multi-hop redirect chain ending at fameklinik[.]com. |
| DocuSign Plus Invoice: A 12-Day-Old Domain and an esvalabs Redirect Chain That Scanners Missed | A phishing campaign combined DocuSign branding with an invoice thread pretext, sent from a 12-day-old privacy-protected domain via Amazon SES. |
| When the Phishing Kit Ships Early: Exposed Template Variables Reveal Attack Infrastructure | A premature phishing kit deployment exposed raw template variables in the subject line and a placeholder URL. |
| Funding Agreement, Forged Approval: How a Three-Layer Redirect Chain Targeted Finance Leadership | A phishing campaign impersonating a document-signing platform targeted a VP of Finance with a forged funding agreement. |
| Hungarian Bank, Nepali Domain, Broken Encoding: How a K&H Bank Phishing Kit Exposed Itself | A K&H Bank impersonation campaign sent from a Nepali domain used DKIM signing and hotlinked the real bank's favicon. |