When a payment notification arrives from a first-time sender, the authentication headers tell the real story before anyone clicks. In this case, those headers told a story of failure: DKIM could not verify the body hash, SPF softfailed at the receiving gateway, and the sending domain published no DMARC policy at all. The email targeted a financial services organization with a clean HTML template and a single "View Remittance" button.
The origin IP, 102.212.163[.]5, geolocated to Lagos, Nigeria, with no reverse DNS record. It connected to a HostGator shared hosting server (kia.websitewelcome[.]com) running Exim, then relayed through a Cloudfilter node in Ashburn before hitting a Barracuda email security gateway. The Barracuda hop explains some of the SPF alignment complexity, but it does not explain the DKIM failure or the suspicious origin.
The recipient's mail system flagged the message with an "Unusual sender" warning. That warning was well-earned.
The domain eagleandroseinn[.]com has been registered since 2000, with WHOIS privacy enabled and a notable same-day update on 2025-05-15, suggesting recent DNS or SPF configuration changes. The MAIL FROM and Return-Path aligned (middletown@eagleandroseinn[.]com), but alignment means little when the cryptographic checks fail.
The relay chain tells a clear story of infrastructure abuse:
102.212.163[.]5 (Lagos, Nigeria, no PTR) connecting to kia.websitewelcome[.]com44.202.169[.]39 (omta040.useast.a.cloudfilter[.]net, Ashburn)209.222.82[.]115 (outbound-ip182b.ess.barracuda[.]com)X-Org headers confirmed HostGator reseller indicators (HG=hgreseller, ORG=hostgator), consistent with the shared hosting origin. A legitimate business sending payment notifications would not route through a Nigerian IP on shared hosting with no reverse DNS.
The single link, displayed as "View Remittance," resolved to:
hxxps://0j9h876we-7gtl3x3m8j.edgeone[.]dev/update2026.html
The edgeone.dev platform, a cloud-hosted pages service, has become a recurring host for credential harvesting infrastructure throughout 2025. The subdomain follows the pattern of randomized strings that attackers generate for disposable phishing pages. The resolved IPs (43.174.246[.]29, 43.174.247[.]29) geolocated to Singapore, nowhere near the claimed sender.
The page served over HTTPS with a valid certificate (standard for edgeone.dev) and returned HTTP 200. Automated content extraction failed, but threat intelligence scored the domain family at 0.82 risk, with multiple active abuse reports.
The body itself was a clean HTML template with low personalization. The greeting used the recipient's email address rather than their name, and the signature was generic: "Account Dept" and "Account Officer." This is consistent with a bulk phishing campaign rather than targeted BEC.
See Your Risk: Calculate how many threats your SEG is missing
Traditional secure email gateways struggle with this attack because the email passes through a legitimate Barracuda gateway and arrives with a valid TLS connection. The Adaptive AI on the IRONSCALES platform evaluates the full authentication chain, flagging the DKIM failure, SPF softfail, and origin IP anomaly as a combined risk signal rather than evaluating each in isolation. Community intelligence accelerates detection by correlating reports of edgeone.dev abuse across protected organizations. Research shows that 67.5 phishing emails per 100 mailboxes per month bypass traditional secure email gateways.
| Indicator | Type | Context |
|---|---|---|
102.212.163[.]5 | IP | Origin, Lagos NG, no PTR |
eagleandroseinn[.]com | Domain | Sending domain, DKIM fail |
middletown@eagleandroseinn[.]com | MAIL FROM / Return-Path | |
0j9h876we-7gtl3x3m8j.edgeone[.]dev | Domain | Credential harvest host |
hxxps://0j9h876we-7gtl3x3m8j.edgeone[.]dev/update2026.html | URL | Harvest page |
43.174.246[.]29 | IP | Harvest page resolution |
43.174.247[.]29 | IP | Harvest page resolution |
209.222.82[.]115 | IP | Barracuda relay hop |
44.202.169[.]39 | IP | Cloudfilter relay hop |
| Attack | What happened |
|---|---|
| A Google Redirect, a Monday.com Tracker, and a Fake NDA: Credential Harvesting Through Trusted Infrastructure | A DocuSign NDA impersonation routed its primary CTA through a three-hop redirect chain: Google.com to Monday.com tracking service to a Zimbabwean domain. |
| The Auth0 Developer Tenant That Passed Every Security Check (Because It Was Real) | An attacker weaponized Auth0's free developer tenant to build a phishing chain that passed DKIM, DMARC, and every link scanner. |
| The Lab Result Notification That Every Security Check Approved (Because the Platform Was Real) | A credential harvest targeting healthcare portal logins arrived through bridgeinteract.io, a legitimate HIPAA-adjacent patient engagement platform. |
| Every Link Is Amazon: How Legitimate Infrastructure Becomes the Phishing Payload | A phishing email passed SPF, DKIM, and DMARC with a perfect compauth score of 100. |
| A Phishing Ticket Nobody Opened: How Autotask Became the Attack Vector | An attacker weaponized the Autotask PSA ticketing platform to deliver a mailbox expiry credential harvest with full SPF, DKIM, and DMARC authentication. |