The Hotel Reservation That Hid a Cloaked Link Behind a Real Booking

The email was a reservation confirmation from Nobu Hotels London Portman Square. It included a guest name, a confirmation number, a one-night stay date, a professional signature from a named reservations agent, and an attached PDF confirmation letter that scanned clean. Dozens of links pointed to real nobuhotels.com property pages and social media accounts. One link did not. That link displayed London-portman.nobuhotels.com in the message but pointed to a tokenized url.emailprotection[.]link wrapper whose final destination could not be determined.

Legitimate Sender, Legitimate Content, One Exception

The message was sent from reserve-portmansquare@nobuhotels[.]com. The Return-Path matched. The domain has proper SPF, DKIM, and DMARC (p=quarantine) configured. Mixed authentication results (SPF softfail at one hop, DKIM failure at another) were explained by the relay path: the message traversed Mimecast (relay.mimecast.com at 195[.]130[.]217[.]221) and Microsoft Exchange infrastructure, with valid ARC seals preserving authentication through the chain.

The body read like a real hotel booking. The confirmation number, the guest details, the agent's signature, the property address and phone number were all consistent with legitimate Nobu Hotels correspondence. The PDF attachment (163,427 bytes, MD5 49c624482ff9fad6dbb9bc96aa3278cc) returned a clean verdict from automated scanning.

The Link That Didn't Match Its Label

Among the hotel's marketing links (tracked through link.rs.nobuhotels[.]com, standard for hospitality marketing), one link stood out. Its display text read London-portman.nobuhotels.com, suggesting it pointed to the hotel's property page. Its actual href was a long, tokenized URL on url.emailprotection[.]link.

Automated resolution of the wrapper returned HTTP 200 from IP 199[.]193[.]205[.]140 (CNAME: urlrs.gslb.serverdata[.]net), with a valid SSL certificate. But no server-side redirect was exposed. The wrapper appeared to use client-side or interaction-based redirection, meaning the final landing page could not be determined by scanning. The emailprotection[.]link domain has been documented in threat reports as a URL rewriting service that attackers abuse to cloak phishing destinations.

Hiding in the Ratio

A single malicious link in an email containing 30+ clean links exploits how automated systems weight verdicts. If most links scan clean, the overall message score may remain below the quarantine threshold. The attacker does not need every link to be malicious. They need one link to survive scanning, and they embed it in enough legitimate context to suppress the signal.

IRONSCALES flagged the display-href mismatch on the cloaked link and the unresolvable final destination as high-risk credential harvesting indicators, overriding the otherwise clean content profile.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping