The domain that sent this email no longer resolves. The registry has placed it into clientHold status, the enforcement mechanism that prevents a domain from returning any DNS answer. The domain was seized after it was used. That fact tells you something about what it was used for, and it tells you the campaign ran before anyone could stop it.
This is disposable-infrastructure phishing: build a sender domain, run the campaign, absorb the takedown. The credentials were already stolen by the time the domain was neutralized.
The sending domain myvoiso[.]com was registered in June 2024, approximately 21 months before the email was delivered. At the time of analysis, the domain's ICANN status read clientHold, indicating a registry-level enforcement action had placed the domain out of service. This is not a domain that expired or was abandoned: clientHold is applied actively, and typically follows an abuse report, registrar investigation, or law enforcement engagement.
The authentication posture matched the disposable nature of the infrastructure. SPF record: none. DKIM: failed. DMARC: no policy. The email carried an unverified display name and claimed to be a communication about a file that needed to be downloaded. There was no actual attachment. The attacker had put nothing in the sending domain because the sending domain was only ever intended to last one campaign.
The Reply-To header pointed to jeelobakra@gmail[.]com, a throwaway Gmail account. This is standard operating procedure for phishing campaigns built on disposable sender domains: any recipient who replies does not reach the sending domain's mail server. Replies go directly to an attacker-controlled free-mail account that can be abandoned and recreated without infrastructure cost.
The message body contained a "Download" button pointing to hxxp://66.179.188.94. This is an IP-literal URL: a raw IPv4 address with no domain name component whatsoever. Domain-based URL reputation systems classify threats by hostname. An IP-literal URL has no hostname, and therefore no domain reputation entry in any conventional blocklist or threat intel feed. The IP address 66.179.188.94 sits in a hosting range but has no prior classification history that would trip a perimeter filter on its own.
Alongside the IP-literal vector, the attacker also maintained a Netlify-hosted credential-harvest page at hxxps://securefilepro-cloud[.]netlify[.]app. Netlify is a legitimate web hosting and deployment platform. Its free tier allows instant deployment under a subdomain of netlify.app, a domain with established legitimate reputation. The attacker's subdomain securefilepro-cloud is a constructed name designed to appear document-management-adjacent while carrying no actual relationship to any legitimate file service.
The combination is deliberate: IP-literal for the "Download" action (bypasses domain reputation), Netlify subdomain as the credential-collection surface (benefits from the parent domain's reputation). Two vectors, two different evasion approaches, serving the same credential-theft goal.
See Your Risk: Calculate how many threats your SEG is missing
Microsoft support links appeared in the email body alongside the attacker's own links. This is a credibility-decoy technique: if a link scanner follows one of the Microsoft links and returns a clean verdict, that clean verdict can create a halo effect that reduces the overall suspicion score on the message. The Microsoft links served no functional purpose for the attacker's objective. They existed only to dilute the threat signal.
The IRONSCALES incident record flagged the recipient as a VIP, specifically a Finance Senior Director. This targeting is not accidental. Finance leadership controls ACH authorization and wire transfer approval flows. An attacker running credential harvesting against a Finance executive has a direct path to payment fraud if the credentials yield access to financial systems, accounting software, or email accounts used for payment approvals.
Credential harvesting campaigns that target finance-adjacent VIPs are often reconnaissance infrastructure for a subsequent BEC attempt: steal the credentials, gain email access, monitor pending transactions, insert payment diversion instructions into an active thread. The credential theft is step one.
Phishing infrastructure built around disposable domains specifically exploits the latency in threat intelligence sharing: by the time the domain is reported, investigated, and placed into clientHold status, the campaign has completed. Defenders relying on reputation-feed coverage of sending domains are always measuring the last campaign, not the current one.
SPF=none, DKIM=fail, DMARC=none: this authentication trifecta is among the highest-confidence sender-spoofing signals available at the gateway. A domain that has no SPF record, fails DKIM, and publishes no DMARC policy is a domain that does not belong to any recognized organization attempting to authenticate its mail. Legitimate business mail systems publish SPF, sign with DKIM, and enforce DMARC.
The compound authentication result on this message was compauth=none reason=001. IRONSCALES Adaptive AI scored the message at 77% confidence, driven by the authentication failure cluster, the IP-literal URL, the Reply-To diversion to a throwaway account, and the VIP recipient designation.
For security operations teams, the 77% confidence score in the context of VIP targeting should trigger elevated response priority. IRONSCALES applies VIP-specific detection thresholds precisely because the consequence of a missed detection against a Finance Senior Director is higher than against a general mailbox.
The Verizon DBIR 2026 notes that credential theft via phishing is among the most common paths to financial fraud. The MITRE ATT&CK framework classifies this delivery pattern under Phishing for Information: Spearphishing Link (T1598.003). CISA specifically advises that finance personnel follow out-of-band verification procedures for any credential or payment request, regardless of apparent legitimacy.
The domain myvoiso[.]com is no longer active. That matters for future campaigns from this infrastructure. It does not affect whether credentials submitted during the active campaign window were collected and used. Defenders treating a domain's clientHold status as evidence that the threat passed have inverted the timeline.
---
| Type | Indicator | Context |
|---|---|---|
| Domain | myvoiso[.]com | Attacker sender domain registered Jun 2024; now in clientHold (seized) |
| IP | 66.179.188.94 | IP-literal "Download" button destination; no domain hostname |
| URL | hxxp://66.179.188.94 | Direct IP URL used to bypass domain-based reputation filtering |
| Domain | securefilepro-cloud[.]netlify[.]app | Netlify-hosted credential-harvest landing page |
| URL | hxxps://securefilepro-cloud[.]netlify[.]app | Credential-harvest page URL |
jeelobakra@gmail[.]com | Reply-To diversion address; throwaway Gmail | |
| Auth Result | spf=none; dkim=fail; dmarc=none | Triple authentication failure on sending domain |
| Attack | What happened |
|---|---|
| Sign Here, Get Phished: Inside an Adobe Sign Lure With a Multi-Hop Redirect to Credential Theft | An Adobe Sign e-signature lure routed recipients through a multi-hop redirect chain ending at fameklinik[.]com. |
| DocuSign Plus Invoice: A 12-Day-Old Domain and an esvalabs Redirect Chain That Scanners Missed | A phishing campaign combined DocuSign branding with an invoice thread pretext, sent from a 12-day-old privacy-protected domain via Amazon SES. |
| When the Phishing Kit Ships Early: Exposed Template Variables Reveal Attack Infrastructure | A premature phishing kit deployment exposed raw template variables in the subject line and a placeholder URL. |
| Funding Agreement, Forged Approval: How a Three-Layer Redirect Chain Targeted Finance Leadership | A phishing campaign impersonating a document-signing platform targeted a VP of Finance with a forged funding agreement. |
| Hungarian Bank, Nepali Domain, Broken Encoding: How a K&H Bank Phishing Kit Exposed Itself | A K&H Bank impersonation campaign sent from a Nepali domain used DKIM signing and hotlinked the real bank's favicon. |