The subject line read "Thank you for your application." The call to action said "Review & Continue." The links looked like nothing a URL scanner had ever seen.
Every CTA in the message carried a URL parameter beginning with U2FsdGVk, the base64 encoding of the ASCII header Salted__. This is the signature of OpenSSL salted encryption. The phishing destination was not hidden behind a redirect chain or a URL shortener. It was encrypted directly into the link, making it opaque to every static analysis tool that tried to evaluate it.
Traditional URL rewriting defenses and gateway scanners work by resolving a URL, following its redirect chain, and evaluating the landing page. When the URL path is a readable string, reputation services can match it against known-bad patterns. When the path is an encrypted blob, there is nothing to match.
The U2FsdGVk prefix identifies OpenSSL-compatible AES encryption with a passphrase-derived key. The encrypted token is only meaningful to the server that holds the decryption key. At click time, the destination server decrypts the token, extracts the real URL, and redirects the victim. Before click time, the URL is a dead end for automated analysis.
The primary links resolved through infrastructure at givingfunder[.]com, a domain registered in 2022 through Namecheap with privacy-protected WHOIS. SPF, DKIM, and DMARC all passed. The sending IP 185[.]255[.]9[.]25 resolved to mnal-ny2[.]mta[.]cloud, a commercial mail transfer agent. Webhook notification headers were present in the message, indicating the email was generated programmatically through an API rather than composed manually.
Secondary links pointed to jdkeusy[.]com, registered in 2023 with privacy-shielded registration. The domain had no public web presence and no verifiable business association. Both domains served as infrastructure for the same campaign, with the encrypted tokens routing through either endpoint depending on the recipient.
The sending domain had valid DNS records, a functioning MTA, and properly configured authentication. The message was not spoofed. The infrastructure was purpose-built, registered well in advance, and maintained long enough to accumulate neutral reputation. None of these facts made the email safe.
The signal that mattered was behavioral. The sender had no prior relationship with the recipient organization. The encrypted URL structure was anomalous for any legitimate application workflow. And the combination of a first-time sender, programmatic delivery via webhook headers, and opaque link encoding created a risk profile that credential harvesting detection models are designed to catch. Themis flagged the message as high-risk and it was quarantined before any recipient interacted with the encrypted links.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sending Domain | givingfunder[.]com | Registered 2022, Namecheap, privacy-protected WHOIS |
| Secondary Domain | jdkeusy[.]com | Registered 2023, privacy-shielded |
| Sending IP | 185[.]255[.]9[.]25 | MTA hostname: mnal-ny2[.]mta[.]cloud |
| URL Pattern | U2FsdGVk... parameter tokens | OpenSSL salted base64 encrypted destinations |
| Auth Results | SPF: pass, DKIM: pass, DMARC: pass | Full authentication for givingfunder[.]com |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Application-themed email with obfuscated CTA links |
| Obfuscated Files or Information | T1027 | OpenSSL salted base64 encryption concealing phishing destinations |
| Attack | What happened |
|---|---|
| The Invoice That Spelled 'Approved' in Three Different Alphabets | A phishing email used Greek and Cyrillic characters to spell 'Approved' in the subject line. |
| Two Security Vendors Scanned This Link and Both Said Clean | Attackers chained TitanHQ and Cisco link wrappers on the same malicious URL so each vendor scanned the other's wrapper and returned Clean. |
| When the Safety Wrapper Becomes the Disguise: Brazilian NF-e Phishing via Safe Links Rewrite | A Portuguese-language invoice lure authenticated through a compromised Brazilian domain used is.gd to hide its payload. |
| The Extortion Email That Hid Its Links Inside IPv6 Bracket Notation | An extortion campaign embedded its payment links as IPv6 literal URLs in RFC-compliant bracket notation. |
| The Button Text Was the Weapon: Unicode RTL Obfuscation Inside a DocuSign Lure | Attackers embedded Unicode right-to-left marks directly inside a CTA button label to scatter the string for NLP scanners. |