The message arrived with DomainKeys Identified Mail (DKIM): pass. Domain-based Message Authentication, Reporting and Conformance (DMARC): pass with p=reject enforcement. Sender Policy Framework (SPF): pass for the SparkPost (Smartsheet's email service provider) infrastructure. Microsoft's compauth scored 100. Every link in the body resolved to smartsheet.com or click.smartsheet.com. The gateway's threat scanner returned a verdict of Negative.
By every automated measure available to a mail filter, this was legitimate email.
The From display name was "Netflix Support via Smartsheet." The subject line, in Thai, translated to "Important warning: Update your payment information." The body carried a large red Netflix "N" logo above a billing-failure message, also in Thai, with a single call-to-action linking to a Smartsheet-hosted form.
The Reply-To header pointed to h.abinassif@uniservci[.]com.
That one line was the entire attack surface.
The message was not spoofed. It was not a lookalike domain trying to impersonate Smartsheet. The attacker used Smartsheet's own platform to create a form and send a notification through Smartsheet's verified sending infrastructure. Smartsheet's X-Smartsheet-Type header classified it as SEND_WEB_FORM, the normal notification type for a shared form.
Because the mail originated from Smartsheet's infrastructure, the DKIM signature was valid for app.smartsheet.com. Because the domain in the DKIM signature aligned with the From header domain, DMARC passed. Because Smartsheet uses SparkPost to deliver transactional mail, the sending IP was on an authorized SPF record. Microsoft's compauth algorithm, which aggregates these signals, returned a clean result.
DMARC enforces that a message was authorized by the owner of the From domain. It does not and cannot verify that the form the message is linking to was created with legitimate intent. The authentication stack worked exactly as designed and cleared a phishing message as genuine.
The payment or sign-in collection form was hosted at hxxps://app.smartsheet[.]com/b/form/e702d2aac31641fa901b9111b9b68e66. From a scanner's perspective, the destination was a Smartsheet URL. Smartsheet is a widely-deployed collaboration and project management platform. Its domain carries years of positive reputation. Link-following sandboxes that evaluated the call-to-action (CTA) saw a Smartsheet form page, which is exactly what you would expect a legitimate Smartsheet form notification to contain.
A second variant of the lure was also observed in affected inboxes with a subject line translating to "Update your sign-in information," reinforcing that the form was designed to collect account credentials, not merely payment details. Both lure variants pointed to the same Smartsheet-hosted form.
The entire credential harvesting surface was embedded in trusted Software-as-a-Service (SaaS) infrastructure with no attacker-owned domain in any link, attachment, or header that a scanner would inspect.
According to the Verizon 2026 Data Breach Investigations Report, credentials remain the top target in breaches, with 39% of incidents involving harvested passwords. Hosting the harvest form on a trusted platform is the logical response to perimeter controls that focus on domain reputation: if there is no attacker domain to score, there is no score.
See Your Risk: Calculate how many threats your gateway is missing
Two anomalies remained after the authentication checks cleared the message.
The first was the Reply-To mismatch. The From address was user@app.smartsheet[.]com. The Reply-To was h.abinassif@uniservci[.]com. Those domains share no organizational relationship. A billing alert from a streaming service, delivered through a collaboration platform, with replies routed to a domain tied to neither, is not a plausible communication chain. Any reply from a victim would have gone directly to the attacker.
The second was the brand and context mismatch. The email presented Netflix branding inside Smartsheet's notification chrome. Netflix does not use Smartsheet to send billing alerts to its customers. The combination of a consumer entertainment brand, an enterprise workflow platform, and urgent payment language addressed to recipients at manufacturing and industrial organizations in Thailand is incoherent as a legitimate communication scenario.
The message was also sent to dozens of unrelated Thai institutional recipients simultaneously. Legitimate billing failure notifications are addressed to individual account holders, not broadcast across organizations with no apparent account relationship.
Phishing that routes through legitimate platforms maps to MITRE ATT&CK T1566.002. The technique exploits the gap between what authentication verifies and what it cannot: the intent and context of a message, not just its origin. CISA's phishing guidance identifies display-name and context mismatches as key user-facing indicators, but those indicators require contextual reasoning that rule-based filters do not perform.
IRONSCALES' Adaptive AI, Themis, identified the attack by reasoning across multiple behavioral signals simultaneously: the off-domain Reply-To against the platform sender, the brand impersonation pairing a consumer streaming service with an enterprise workflow platform, the mass recipient list spanning unrelated organizations, and the Thai-language urgency framing directed at organizations with no apparent Netflix account relationship.
The sending infrastructure was clean. The links were clean. The form domain was clean. Detection required cross-referencing what the message claimed to be against what legitimate communications of that type actually look like at behavioral scale. No individual signal was conclusive; the combination was.
Affected mailboxes at two Southeast Asian manufacturing organizations were quarantined after detection. No further action by recipients was required.
| Indicator | Type | Context |
|---|---|---|
h.abinassif@uniservci[.]com | Attacker-controlled Reply-To address | |
uniservci[.]com | Domain | Attacker-controlled domain used to intercept replies |
hxxps://app.smartsheet[.]com/b/form/e702d2aac31641fa901b9111b9b68e66 | URL | Smartsheet-hosted form used as credential-collection point (legitimate infrastructure abused) |
user@app[.]smartsheet[.]com | Sending address (legitimate Smartsheet infrastructure, abused for delivery) | |
| Subject variant 1 (Thai): "การเตือนสำคัญ: อัพเดทข้อมูลการชำระเงินของคุณ" | Subject | Translates to "Important warning: Update your payment information" |
| Subject variant 2 (Thai): "อัปเดตการลงชื่อเข้าใช้งานของคุณ" | Subject | Translates to "Update your sign-in information"; second lure variant used in same campaign |
The Smartsheet form URL and sending address represent legitimate infrastructure. Blocking them at the domain level would affect all Smartsheet traffic. Defensive value is in the behavioral detection pattern: any email with a From originating from a SaaS notification domain and a Reply-To pointing to an unrelated domain warrants review, particularly when the body content impersonates a brand unrelated to that SaaS platform.
Review NIST's phishing definition and MITRE T1566 for guidance on categorizing and documenting trusted-infrastructure phishing in incident reports. ---