A price revision email arrives. The subject line names specific products: titanium dioxide, Quinoline Yellow WS, Quinoline Yellow SS. The From address belongs to an established industrial-pigment supplier. The authentication headers show SPF pass, DKIM pass, DMARC pass. The signature includes phone numbers and a professional layout. The body asks recipients to confirm prices before placing orders.
The confirmation link goes to hxxp://www[.]surfacetreatedpigments[.]com.
That site has no TLS. Its WHOIS is privacy-protected. It is hosted on a US-based shared server. The legitimate supplier operates out of India. The site presents content visually mirroring the real supplier. It flagged HIGH risk on automated inspection.
Price-revision and order-confirmation emails occupy a specific blind spot in security training. Employees are taught to scrutinize password resets, account alerts, and delivery notifications. Procurement communication exists in a different cognitive frame: it is routine, expected, and time-sensitive. A request to confirm pricing before an order is placed reads as a normal business transaction, not an attack.
This is a classic phishing technique applied to the procurement layer. Attackers who study their targets understand this. The subject line in this campaign named specific product categories that a procurement professional at a chemicals or manufacturing company would recognize as plausible. The professional multi-person CC structure of the legitimate sender's email chain was replicated in the attacker's format. Nothing in the social engineering layer stands out as anomalous to a recipient embedded in a purchasing workflow.
The result is that the click-to-link behavior happens at the same low-friction level as a routine vendor confirmation, with all the scrutiny that implies.
Email spoofing defenses focus on the message layer. The mirror site in this campaign illustrates why the link destination deserves equal or greater scrutiny.
surfacetreatedpigments[.]com presents product content and branding visually consistent with an established industrial-pigment supplier that has operated since 2008. The visual mimicry is the attacker's primary social-engineering investment. A recipient who follows the link, sees familiar product names and supplier branding, and proceeds to interact with the site has no obvious signal that the site is not what it claims to be.
The technical signals tell a different story:
No TLS. The site is served entirely over plain HTTP. An established supplier handling order confirmations and business data would use HTTPS. The absence of a certificate is not a definitive proof of malice, but it is inconsistent with legitimate business operations at scale.
Privacy-protected WHOIS. The domain registration conceals ownership details entirely. The legitimate supplier has a public business presence, registered addresses, and traceable business history. A domain claiming to represent that supplier with a fully masked registration is structurally inconsistent with how that supplier would operate.
US shared hosting. The IP resolves to a shared-hosting provider based in the United States. The legitimate company's infrastructure is associated with India, consistent with its stated business location. Hosting on US shared infrastructure under a privacy registration, while presenting as an Indian industrial supplier, is a technical mismatch without a plausible business explanation.
Together these signals produce a HIGH-risk verdict on automated inspection. The catch is that the inspection has to reach the link destination, which requires either gateway-level URL detonation or a user who knows to check before clicking.
See Your Risk: Calculate how many threats your SEG is missing
A recurring confusion in phishing defense is treating authentication results as a measure of message safety. In this case, SPF, DKIM, and DMARC all passed for the sending domain at the final authentication hop. ARC seals preserved the authentication chain through the Sophos mail-flow relay the sender's tenant used.
This means the message genuinely came from the domain's authorized mail infrastructure. It does not mean the message is safe. Authentication tells you where a message came from. It says nothing about the safety of the links inside it.
The operational gap this creates is that a security tool or rule set that treats authentication as a trust signal will suppress further scrutiny on a message like this. The message passes authentication. The from address matches a real business. The subject is a plausible commercial topic. The body is professionally formatted. Without link destination analysis that evaluates the technical characteristics of the landing site rather than just its URL reputation, the HIGH-risk signals on the mirror site remain invisible.
The MITRE ATT&CK framework classifies this delivery pattern as Spearphishing Link (T1566.002). Credential harvesting via mirror sites that intercept order confirmations is a specific variant of this technique, targeting the supplier-trust relationship rather than a consumer credential. The Verizon DBIR 2026 consistently identifies supplier-impersonation attacks as a leading category in business-sector breaches. CISA recommends verifying vendor contact details through known-good channels before acting on unexpected payment or order-confirmation requests. The Microsoft Digital Defense Report 2024 notes that adversaries increasingly build mirror sites to deceive users who perform basic verification by checking that a site "looks right."
For procurement teams specifically: a price-revision email that routes to a domain you did not previously know was associated with your supplier warrants an out-of-band call to a contact number you already have before any confirmation is submitted.
---
| Type | Indicator | Context |
|---|---|---|
| URL | hxxp://www[.]surfacetreatedpigments[.]com/ | Attacker-controlled mirror site; no TLS, privacy WHOIS, US shared hosting; flagged HIGH risk |
| Domain | surfacetreatedpigments[.]com | Mirror domain impersonating an established industrial-pigment supplier |
| Attack | What happened |
|---|---|
| The B2B Content Marketing Email That Borrowed a Brand, a Relay Allow-List, and a Security Vendor's Own URL Wrapper | A polished B2B research report offer used SelectHub branding, passed through an allow-listed mail relay at SCL -1. |
| The Button Text Was the Weapon: Unicode RTL Obfuscation Inside a DocuSign Lure | Attackers embedded Unicode right-to-left marks directly inside a CTA button label to scatter the string for NLP scanners. |
| The DocuSign Lure That Used Google as a Trust Shield (And Encoded Your Email in the Link) | A DocuSign phishing email hid its harvest domain behind a google.com redirect and encoded the recipient's exact email address into the link as base64. |
| Every Link Was Real: DocuSign Reply-To Diversion With a Same-Day Domain | A phishing email sent through legitimate DocuSign infrastructure passed SPF, DKIM, and DMARC with perfect scores. |
| No Links, No Malware, Just a Phone Number: Geek Squad TOAD Invoice Targets an Engineering Manager | A Geek Squad invoice impersonation sent from a Hotmail account used a JPEG-rendered invoice and an unverified callback phone number as its entire attack... |