A two-word subject line. A one-sentence body. A single hyperlink. And a credential-harvest page that, when the email landed, had existed for less than eight hours.
This campaign targeting an outsourced accounting firm manager never asked the recipient to do anything dramatic. The email read like a continuation of a prior thread ("Re: Pass") from someone with a common personal name. The sending address was a genuine Microsoft 365 tenant domain. Every authentication check returned green. The only thing that was not what it appeared was the destination of that hyperlink.
That combination, a legitimately authenticated sender paired with a brand-new attacker-controlled credential page, is exactly the pattern that sits in the gap between what traditional secure email gateways (SEGs) inspect and what actually reaches the inbox.
Microsoft 365 tenant creation is free and fast. Any attacker can register a tenant under a plausible name, generate an @tenantname.onmicrosoft.com address, and begin sending mail in under an hour. The resulting email passes SPF because the sending IP is a legitimate Microsoft mail server. It passes DKIM because the signing key belongs to Microsoft's own infrastructure. It passes DMARC because the domain in the From header aligns with the onmicrosoft.com parent domain that Microsoft controls.
In this case the sending address was maksymilian.rybacki@zsoitmt[.]onmicrosoft[.]com. The display name shown to the recipient was an unrelated personal name, one with no connection to that tenant string. This mismatch between display name and actual address is a fundamental social-engineering tell, but it goes undetected by any rule that evaluates authentication records alone.
The subject "Re: Pass" implied the email was a reply in an existing thread. There was no existing thread. The technique exploits the mental shortcut most people apply when they see "Re:" in the subject line: something must have preceded this, so a degree of trust already exists.
The hyperlink in the email body resolved to hxxps://fthhdciw[.]com:8443/AQAAAAAB. WHOIS shows fthhdciw[.]com was created at 07:43 UTC on March 19, 2026 at Namecheap, with privacy protection active from registration minute one. The name servers (NS1.IKOENAULHDNS[.]COM, NS2.IKOENAULHDNS[.]COM) belong to a shared DNS cluster with no publicly associated legitimate business.
Serving credential pages on port 8443 instead of port 443 is a deliberate evasion choice. Many URL-reputation services, SEG sandbox crawlers, and threat intelligence feeds evaluate domain-port combinations; a page on a non-standard port often escapes initial scoring because the scan infrastructure is not configured to probe it. The opaque path /AQAAAAAB suggests base64-encoded targeting parameters, a technique used to serve different content to known security-scanner IP ranges versus real victim browsers.
The email was scored at Spam Confidence Level 5 (SCL=5) by Exchange Online Protection, meaning it landed in the spam folder but was not outright rejected. Themis, the IRONSCALES agentic AI SOC analyst, flagged it independently and it was quarantined pending review. The case was resolved manually approved as phishing. For a recipient who checks spam for expected messages, which accounting managers routinely do, the email would have been one click away from credential submission.
See Your Risk: Calculate how many threats your SEG is missing
The specific recipient profile matters here. An outsourced accounting services manager typically holds credentials for multiple client financial systems, payroll platforms, and ERP tools. A single credential compromise at this role level can cascade into unauthorized wire initiation, payroll redirect, or vendor payment manipulation across the entire client roster.
According to the Verizon DBIR 2026, credentials appear in 39% of breaches across the kill chain, and phishing accounts for 16% of initial access in confirmed breaches. The FBI IC3 2024 report documents more than $2.9 billion in BEC and credential-theft losses. Attackers who run this type of campaign understand their ROI precisely: low infrastructure cost (free tenant, one-day domain, one-hour page setup) against a high-value target with access to multiple financial systems.
Credential harvesting via infrastructure-legitimate senders represents one of the cleanest bypasses of gateway-layer defenses. A SEG that scores mail on authentication signals alone sees a perfect pass. It has no visibility into what the link resolves to, what port it runs on, or how old the domain was at the moment of delivery.
The architecture of this attack exposes four gaps that defenders should address directly:
Display name to address mismatch rules. Most mail systems can flag or quarantine messages where the From display name and the sending address domain do not correspond to any established sender relationship. That rule alone would have surfaced this email for review before delivery.
Same-day and sub-seven-day domain age in links. URL reputation databases do not cover zero-hour domains. A separate age check at the DNS level, run at click time not at receipt time, closes this gap. The domain was eight hours old when the email was delivered.
Non-standard port scanning. Sandbox crawlers should be configured to follow links on ports 8080, 8443, and other common alternate HTTPS ports, not just 443. A page that only exists on 8443 is invisible to scanners that do not probe it.
Behavioral anomaly for impersonated display names. An AI-based mailbox model that knows the recipient has never received mail from this tenant, under this display name, in any prior communication, will flag the anomaly regardless of authentication outcome. This is the layer where credential harvesting protection operates.
The MITRE ATT&CK T1566.002 technique (spearphishing via link) is documented. What this case illustrates is the current-generation variant: attackers no longer need to spoof a domain or compromise a legitimate account. They build a Microsoft tenant, a one-day domain, and a non-standard-port page, and let Microsoft's own infrastructure carry the authentication for them.
CISA guidance on recognizing phishing emphasizes checking the actual sending address, not just the display name. It is advice that applies directly to this attack. For organizations with accounting or finance staff handling multiple client systems, that check needs to be a trained reflex, not an afterthought.
The IRONSCALES platform applies continuous behavioral modeling across mailboxes, so a tenant that has never sent to this organization before, using a display name that mismatches the address, registers as an anomaly independent of what the authentication headers report. That is the detection layer that caught this one.
---
| Type | Indicator | Context |
|---|---|---|
| Domain | fthhdciw[.]com | Attacker credential-harvest host, port 8443 |
| URL | hxxps://fthhdciw[.]com:8443/AQAAAAAB | Phishing page with opaque encoded path |
| Sender address | maksymilian.rybacki@zsoitmt[.]onmicrosoft[.]com | Attacker-controlled M365 tenant |
| Name servers | ns1.ikoenaulhdns[.]com, ns2.ikoenaulhdns[.]com | Shared attacker DNS cluster |
| Attack | What happened |
|---|---|
| Sign Here, Get Phished: Inside an Adobe Sign Lure With a Multi-Hop Redirect to Credential Theft | An Adobe Sign e-signature lure routed recipients through a multi-hop redirect chain ending at fameklinik[.]com. |
| When SPF, DKIM, and DMARC All Pass. And the Email Is Still Phishing | A fully authenticated phishing email (SPF pass, DKIM pass, DMARC pass) used a legitimate nonprofit platform to deliver credential-harvesting links with... |
| DocuSign Plus Invoice: A 12-Day-Old Domain and an esvalabs Redirect Chain That Scanners Missed | A phishing campaign combined DocuSign branding with an invoice thread pretext, sent from a 12-day-old privacy-protected domain via Amazon SES. |
| When the Phishing Kit Ships Early: Exposed Template Variables Reveal Attack Infrastructure | A premature phishing kit deployment exposed raw template variables in the subject line and a placeholder URL. |
| The Fireflies Meeting Recap That Never Happened: Dual-Brand Impersonation via Amazon SES | A phishing campaign combined Fireflies.ai meeting recap templates with Microsoft Teams branding to target a financial controller. |