The invoice arrived from a legitimate NetSuite account, signed twice by Oracle infrastructure, and pointed to a real payment portal with a pre-filled token. SPF passed. DKIM passed (dual signatures from sent-via[.]netsuite[.]com and nrt1[.]rp[.]oracleemaildelivery[.]com). DMARC passed. The only question left is one authentication cannot answer: was this invoice real?
The email was sent from system@sent-via[.]netsuite[.]com on behalf of "Finance QIMA/WQS" with a Reply-To of finance@wqscert[.]com. It was relayed through Oracle Email Delivery from a Japan datacenter (aib29dd127[.]nrt1[.]oracleemaildelivery[.]com, IP 192[.]29[.]44[.]127). The X-NetSuite headers confirmed this originated from within the platform: compId=4552646, search=664953, owner=2859289.
This is EaaS (Email as a Service) abuse at its cleanest, and a textbook example of why phishing detection cannot rely on authentication alone. The attacker did not spoof NetSuite. They used it. Whether through a compromised QIMA account or a fabricated invoice created directly in the platform, the sending chain was entirely legitimate. Microsoft's own anti-spam engine assigned SCL=9 with SFTY:9.25, an unusually aggressive score for a message with perfect authentication. That tension between full auth passage and high spam scoring reflects how conflicted static analysis becomes when infrastructure trust and behavioral signals diverge.
The "Click and Pay" CTA linked to my[.]qima[.]com/pay-pre-filled/qimawqs/a0d9464fe506416497b71c4ea7776c18. That is a real QIMA payment portal with a pre-filled token. The URL scans clean because the domain is legitimate and the page functions exactly as designed. The invoice fraud payload is not a credential harvester or a malware dropper. It is a real payment form, pre-loaded with an invoice the attacker wants paid.
The email also included links to qima[.]com/terms-and-conditions and qima[.]com/contact-us, further reinforcing legitimacy. The subject line referenced a specific invoice number and named both the buyer and the vendor. The target was an employee at a food and beverage company.
Themis, the IRONSCALES Adaptive AI, classified the message as Invoice Phishing at 63% confidence. The detection was not based on a malicious URL, a bad signature, or a known threat indicator. It was based on sender relationship analysis: the recipient had no established communication history with this NetSuite-generated sender identity. Four mailboxes were quarantined.
The open question for incident responders is whether the QIMA NetSuite account was compromised (account takeover) or whether the invoice was fabricated within the platform by an authorized user (insider or social-engineered access). Either scenario produces the same result: a fully authenticated, infrastructure-clean invoice that only behavioral analysis can flag.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender Address | system@sent-via[.]netsuite[.]com | NetSuite platform sender |
| Reply-To Address | finance@wqscert[.]com | QIMA/WQS finance contact |
| Reply-To Domain | wqscert[.]com | QIMA verification services domain |
| Sending IP | 192[.]29[.]44[.]127 | Oracle Email Delivery, Japan datacenter |
| Sending Host | aib29dd127[.]nrt1[.]oracleemaildelivery[.]com | Oracle Email Delivery relay |
| Payment URL | hxxps://my[.]qima[.]com/pay-pre-filled/qimawqs/a0d9464fe506416497b71c4ea7776c18 | Pre-filled payment token |
| NetSuite compId | 4552646 | NetSuite company identifier |
| DKIM Selector 1 | sent-via[.]netsuite[.]com | NetSuite DKIM signing domain |
| DKIM Selector 2 | nrt1[.]rp[.]oracleemaildelivery[.]com | Oracle Email Delivery DKIM signing domain |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Pre-filled payment token delivered via email CTA |
| Acquire Infrastructure: Web Services | T1583.006 | NetSuite/Oracle Email Delivery used as sending platform |
| Impersonation | T1656 | Sender identity presented as QIMA Finance via NetSuite |
| Attack | What happened |
|---|---|
| The PayPal Invoice That Passed Every Check Because PayPal Actually Sent It | A canceled PayPal invoice for $50 arrived with perfect SPF, DKIM, and DMARC authentication because PayPal's own infrastructure sent it. |
| Asana Platform Abuse: Authenticated Amazon SES Delivery for a Fake Meta Workspace Invite | An attacker created an Asana workspace and sent an invitation claiming to be from Meta. |
| The Teams Meeting Notification That Led to an AWS Lambda Credential Harvester | A Microsoft Teams meeting notification impersonated a recipient's organization in the display name and routed the 'OPEN' button through a AWS Lambda... |
| The FedEx Freight Invoice That Came From Inside the CRM | An invoice rebill request was sent through FedEx Freight's own Salesforce CRM instance, carrying a valid DKIM signature for fedexfreight[.]com. |
| The Graduation Sash Invoice That Every Security Check Approved | A $3,645 invoice for 55 custom graduation sashes arrived at a school district, sent through Shopify's legitimate email infrastructure. |