Remittance Phish Routes Through Nigerian Hosting to Edgeone Credential Harvest

When a payment notification arrives from a first-time sender, the authentication headers tell the real story before anyone clicks. In this case, those headers told a story of failure: DKIM could not verify the body hash, SPF softfailed at the receiving gateway, and the sending domain published no DMARC policy at all. The email targeted a financial services organization with a clean HTML template and a single "View Remittance" button.

The origin IP, 102.212.163[.]5, geolocated to Lagos, Nigeria, with no reverse DNS record. It connected to a HostGator shared hosting server (kia.websitewelcome[.]com) running Exim, then relayed through a Cloudfilter node in Ashburn before hitting a Barracuda email security gateway. The Barracuda hop explains some of the SPF alignment complexity, but it does not explain the DKIM failure or the suspicious origin.

The recipient's mail system flagged the message with an "Unusual sender" warning. That warning was well-earned.

The Sending Infrastructure

The domain eagleandroseinn[.]com has been registered since 2000, with WHOIS privacy enabled and a notable same-day update on 2025-05-15, suggesting recent DNS or SPF configuration changes. The MAIL FROM and Return-Path aligned (middletown@eagleandroseinn[.]com), but alignment means little when the cryptographic checks fail.

The relay chain tells a clear story of infrastructure abuse:

• Origin: 102.212.163[.]5 (Lagos, Nigeria, no PTR) connecting to kia.websitewelcome[.]com
• Hop 2: 44.202.169[.]39 (omta040.useast.a.cloudfilter[.]net, Ashburn)
• Hop 3: 209.222.82[.]115 (outbound-ip182b.ess.barracuda[.]com)
• Final: Microsoft 365 inbound

X-Org headers confirmed HostGator reseller indicators (HG=hgreseller, ORG=hostgator), consistent with the shared hosting origin. A legitimate business sending payment notifications would not route through a Nigerian IP on shared hosting with no reverse DNS.

The Credential Harvest

The single link, displayed as "View Remittance," resolved to:

hxxps://0j9h876we-7gtl3x3m8j.edgeone[.]dev/update2026.html

The edgeone.dev platform, a cloud-hosted pages service, has become a recurring host for credential harvesting infrastructure throughout 2025. The subdomain follows the pattern of randomized strings that attackers generate for disposable phishing pages. The resolved IPs (43.174.246[.]29, 43.174.247[.]29) geolocated to Singapore, nowhere near the claimed sender.

The page served over HTTPS with a valid certificate (standard for edgeone.dev) and returned HTTP 200. Automated content extraction failed, but threat intelligence scored the domain family at 0.82 risk, with multiple active abuse reports.

The body itself was a clean HTML template with low personalization. The greeting used the recipient's email address rather than their name, and the signature was generic: "Account Dept" and "Account Officer." This is consistent with a bulk phishing campaign rather than targeted BEC.

See Your Risk: Calculate how many threats your SEG is missing

MITRE ATT&CK

• Phishing: Spearphishing Link (T1566.002): Single "View Remittance" link to credential harvest page
• Valid Accounts (T1078): Harvested credentials enable account takeover

How Adaptive AI Detects This

Traditional secure email gateways struggle with this attack because the email passes through a legitimate Barracuda gateway and arrives with a valid TLS connection. The Adaptive AI on the IRONSCALES platform evaluates the full authentication chain, flagging the DKIM failure, SPF softfail, and origin IP anomaly as a combined risk signal rather than evaluating each in isolation. Community intelligence accelerates detection by correlating reports of edgeone.dev abuse across protected organizations. Research shows that 67.5 phishing emails per 100 mailboxes per month bypass traditional secure email gateways.

Hardening Recommendations

1. Reject DKIM failures at the gateway. If DKIM cannot verify the body hash, the message should not reach the inbox.
2. Flag first-time senders with financial language. Payment, remittance, and invoice keywords from unknown senders warrant automatic quarantine.
3. Block edgeone.dev subdomains proactively. If your organization has no business relationship with this platform, block at the proxy or DNS layer.
4. Require DMARC enforcement for inbound mail. Senders publishing DMARC=none should receive elevated scrutiny, especially for financial communications.
5. Alert on origin IP geolocation mismatches. When the origin IP geolocates to a region inconsistent with the sender's claimed identity, escalate for review.

Indicators of Compromise