Threat Intelligence

The Netflix Billing Alert That Every Scanner Blessed (One Header Told the Truth)

Written by Audian Paxson | Mar 31, 2025 11:00:00 AM
TL;DR Attackers sent a Netflix billing-failure lure through Smartsheet's own email infrastructure, meaning the message arrived DKIM-signed and DMARC-compliant, with every link resolving to legitimate Smartsheet domains. The payment or sign-in collection form was hosted on Smartsheet, so URL scanners had nothing to flag. The only detectable anomaly was a Reply-To header silently diverted to an attacker-controlled domain at uniservci[.]com. Themis flagged the brand mismatch, the off-domain Reply-To, and the mass-blast recipient pattern spanning dozens of unrelated Thai organizations. Multiple mailboxes across two Southeast Asian manufacturing organizations were quarantined.
Severity: High Credential Harvesting Brand Impersonation Phishing MITRE: {'id': 'T1566', 'name': 'Phishing'} MITRE: {'id': 'T1566.002', 'name': 'Phishing: Spearphishing Link'} MITRE: {'id': 'T1583.006', 'name': 'Acquire Infrastructure: Web Services'}

The message arrived with DomainKeys Identified Mail (DKIM): pass. Domain-based Message Authentication, Reporting and Conformance (DMARC): pass with p=reject enforcement. Sender Policy Framework (SPF): pass for the SparkPost (Smartsheet's email service provider) infrastructure. Microsoft's compauth scored 100. Every link in the body resolved to smartsheet.com or click.smartsheet.com. The gateway's threat scanner returned a verdict of Negative.

By every automated measure available to a mail filter, this was legitimate email.

The From display name was "Netflix Support via Smartsheet." The subject line, in Thai, translated to "Important warning: Update your payment information." The body carried a large red Netflix "N" logo above a billing-failure message, also in Thai, with a single call-to-action linking to a Smartsheet-hosted form.

The Reply-To header pointed to h.abinassif@uniservci[.]com.

That one line was the entire attack surface.

How the Authentication Layer Was Defeated Without Being Broken

The message was not spoofed. It was not a lookalike domain trying to impersonate Smartsheet. The attacker used Smartsheet's own platform to create a form and send a notification through Smartsheet's verified sending infrastructure. Smartsheet's X-Smartsheet-Type header classified it as SEND_WEB_FORM, the normal notification type for a shared form.

Because the mail originated from Smartsheet's infrastructure, the DKIM signature was valid for app.smartsheet.com. Because the domain in the DKIM signature aligned with the From header domain, DMARC passed. Because Smartsheet uses SparkPost to deliver transactional mail, the sending IP was on an authorized SPF record. Microsoft's compauth algorithm, which aggregates these signals, returned a clean result.

DMARC enforces that a message was authorized by the owner of the From domain. It does not and cannot verify that the form the message is linking to was created with legitimate intent. The authentication stack worked exactly as designed and cleared a phishing message as genuine.

The Harvest Mechanism

The payment or sign-in collection form was hosted at hxxps://app.smartsheet[.]com/b/form/e702d2aac31641fa901b9111b9b68e66. From a scanner's perspective, the destination was a Smartsheet URL. Smartsheet is a widely-deployed collaboration and project management platform. Its domain carries years of positive reputation. Link-following sandboxes that evaluated the call-to-action (CTA) saw a Smartsheet form page, which is exactly what you would expect a legitimate Smartsheet form notification to contain.

A second variant of the lure was also observed in affected inboxes with a subject line translating to "Update your sign-in information," reinforcing that the form was designed to collect account credentials, not merely payment details. Both lure variants pointed to the same Smartsheet-hosted form.

The entire credential harvesting surface was embedded in trusted Software-as-a-Service (SaaS) infrastructure with no attacker-owned domain in any link, attachment, or header that a scanner would inspect.

According to the Verizon 2026 Data Breach Investigations Report, credentials remain the top target in breaches, with 39% of incidents involving harvested passwords. Hosting the harvest form on a trusted platform is the logical response to perimeter controls that focus on domain reputation: if there is no attacker domain to score, there is no score.

See Your Risk: Calculate how many threats your gateway is missing

The Tell That Survived

Two anomalies remained after the authentication checks cleared the message.

The first was the Reply-To mismatch. The From address was user@app.smartsheet[.]com. The Reply-To was h.abinassif@uniservci[.]com. Those domains share no organizational relationship. A billing alert from a streaming service, delivered through a collaboration platform, with replies routed to a domain tied to neither, is not a plausible communication chain. Any reply from a victim would have gone directly to the attacker.

The second was the brand and context mismatch. The email presented Netflix branding inside Smartsheet's notification chrome. Netflix does not use Smartsheet to send billing alerts to its customers. The combination of a consumer entertainment brand, an enterprise workflow platform, and urgent payment language addressed to recipients at manufacturing and industrial organizations in Thailand is incoherent as a legitimate communication scenario.

The message was also sent to dozens of unrelated Thai institutional recipients simultaneously. Legitimate billing failure notifications are addressed to individual account holders, not broadcast across organizations with no apparent account relationship.

Phishing that routes through legitimate platforms maps to MITRE ATT&CK T1566.002. The technique exploits the gap between what authentication verifies and what it cannot: the intent and context of a message, not just its origin. CISA's phishing guidance identifies display-name and context mismatches as key user-facing indicators, but those indicators require contextual reasoning that rule-based filters do not perform.

The Signals Themis Caught

IRONSCALES' Adaptive AI, Themis, identified the attack by reasoning across multiple behavioral signals simultaneously: the off-domain Reply-To against the platform sender, the brand impersonation pairing a consumer streaming service with an enterprise workflow platform, the mass recipient list spanning unrelated organizations, and the Thai-language urgency framing directed at organizations with no apparent Netflix account relationship.

The sending infrastructure was clean. The links were clean. The form domain was clean. Detection required cross-referencing what the message claimed to be against what legitimate communications of that type actually look like at behavioral scale. No individual signal was conclusive; the combination was.

Affected mailboxes at two Southeast Asian manufacturing organizations were quarantined after detection. No further action by recipients was required.

Indicators of Compromise

IndicatorTypeContext
h.abinassif@uniservci[.]comEmailAttacker-controlled Reply-To address
uniservci[.]comDomainAttacker-controlled domain used to intercept replies
hxxps://app.smartsheet[.]com/b/form/e702d2aac31641fa901b9111b9b68e66URLSmartsheet-hosted form used as credential-collection point (legitimate infrastructure abused)
user@app[.]smartsheet[.]comEmailSending address (legitimate Smartsheet infrastructure, abused for delivery)
Subject variant 1 (Thai): "การเตือนสำคัญ: อัพเดทข้อมูลการชำระเงินของคุณ"SubjectTranslates to "Important warning: Update your payment information"
Subject variant 2 (Thai): "อัปเดตการลงชื่อเข้าใช้งานของคุณ"SubjectTranslates to "Update your sign-in information"; second lure variant used in same campaign

The Smartsheet form URL and sending address represent legitimate infrastructure. Blocking them at the domain level would affect all Smartsheet traffic. Defensive value is in the behavioral detection pattern: any email with a From originating from a SaaS notification domain and a Reply-To pointing to an unrelated domain warrants review, particularly when the body content impersonates a brand unrelated to that SaaS platform.

Review NIST's phishing definition and MITRE T1566 for guidance on categorizing and documenting trusted-infrastructure phishing in incident reports. ---

Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.