When the Phishing Bait Is Hosted on a Phishing Simulator's CDN

The email looked like a salary adjustment notice from HR. The images in it were served from a cloud bucket registered to a phishing simulation company.

That detail is not incidental. It is the technique. Attackers targeting a payroll administrator at a regional hospital on April 7, 2026 built a Microsoft Teams-style document-sharing lure and chose to host their image assets on infrastructure belonging to CanIPhish, a commercial phishing simulation and security awareness platform. The result: a credential-harvesting campaign dressed in the clothes of routine security training traffic.

It is worth sitting with that for a moment. The same category of vendor organizations use to test their employees against phishing was quietly providing CDN cover for an actual attack.

The Lure Was Built to Pass a Glance Test

The email arrived with the display name "Excel_Generated Notifications_Salary_Adjustment" from jp@hrsyncdashboard[.]onmicrosoft[.]com. The subject line read: "[EXTERNAL] Eskenazi Health: Salary adjustment for employees."

The hospital's email gateway had already stamped it with a red-bar caution notice warning recipients it was external. That warning was visible at the top of the message. The attacker did not try to suppress it.

The body itself was clean and visually convincing. A Microsoft Teams-style layout, a checkmark icon, the text "You've been granted access to read 'Salary adjustment for [hospital] employees,'" the target's full name and job title displayed as if pulled from a directory, and a date. Two buttons: "Open in Teams" (green, Teams brand color) and "Open in Browser" (white, secondary action).

The target's name and job title appearing in the email is worth noting. Either the attacker pulled this from a public directory or LinkedIn, or the campaign involved some degree of pre-attack reconnaissance. Either way, it raised the apparent legitimacy of the document-share notification.

Both buttons linked to the same destination: a SendGrid click-tracking URL beginning with hxxps://u60904143[.]ct[.]sendgrid[.]net/ls/click?.... Clicking either one would first register the click with whoever controlled that SendGrid account, then redirect the target onward.

Three Layers of Infrastructure, None of It Controlled by the Hospital

MITRE ATT&CK categorizes this delivery method under Spearphishing Link (T1566.002) and Web Service abuse (T1583.006). The infrastructure stack here shows exactly why those techniques keep appearing in incident data.

Layer 1: SendGrid. The email was sent through SendGrid's outbound mail infrastructure, originating from a tenant identified as SendGrid account 60904143. The envelope Return-Path was a SendGrid bounce address formatted to encode the target's email address. This is standard SendGrid bulk delivery behavior. It also means the sending IP had SendGrid's reputation, not the attacker's.

Layer 2: hrsyncdashboard[.]onmicrosoft[.]com. The From header pointed to a Microsoft tenant with this domain. No DMARC record was published for this domain. SPF produced a softfail at the final Microsoft 365 receiving hop (the sending IP 139.138.59.32 did not align cleanly with SendGrid's published range at that evaluation point). DKIM failed verification at the top-level authentication results, despite passing at an intermediate relay. The composite auth result: compauth=none reason=405, meaning Microsoft could not establish authentication confidence. Nothing blocked it.

Layer 3: CanIPhish S3. The email's images, including a Teams checkmark icon and a calendar icon, were served from caniphish[.]s3[.]ap-southeast-2[.]amazonaws[.]com. CanIPhish is a legitimate Australian phishing simulation company. Their platform allows customers to build simulation emails and hosts assets on S3. In this attack, either a bucket belonging to a CanIPhish customer account was abused, or the attacker registered their own CanIPhish account to stage assets, then used the resulting S3 URLs in a real attack.

From a security tooling perspective, traffic to and from caniphish.s3.ap-southeast-2.amazonaws.com may be treated as benign or even explicitly allowed, since security teams use CanIPhish for internal training campaigns.

See Your Risk: Calculate how many threats your SEG is missing

The Landing Page Was Minimal and Mobile-Ready

The SendGrid redirect resolved to hxxps://salaryadjustmentreadviaadobe[.]carrd[.]co/, a page built on Carrd, a free website builder popular for quick single-page sites.

The page was sparse by design. A heading: "Salary Adjustment for employees." A subheading: "Click below to read document on your organization Adobe PDF reader online." A black "Continue" button. A horizontal rule. Then: "or / Scan the barcode below to read on your smartphone or devices." Followed by a large QR code.

The page offered two paths to credential capture: a button click (presumably leading to a credential-harvesting portal) and a QR code for mobile users. The "Made with Carrd" attribution was visible at the bottom but easy to miss.

Carrd pages are free, fast to spin up, and hosted on Carrd's own infrastructure. They have no inherent malicious reputation. Combined with the SendGrid click-tracking layer obscuring the destination, the full redirect chain gave the attack multiple layers of perceived legitimacy before the actual phishing page appeared.

Why Auth Signals Were Not Enough

The FBI IC3 2024 Annual Report puts phishing consistently among the top complaint categories, with healthcare remaining a disproportionately targeted sector. The Verizon DBIR 2024 confirms that credential-focused attacks via email remain the dominant initial access vector across industries.

What this case illustrates is the gap between "auth signals are suspicious" and "this email is blocked." The authentication stack here raised flags without triggering a block. SPF softfail is not SPF fail. DKIM passed at one relay and failed at another. DMARC was absent. Each signal individually was ambiguous. Collectively, they were telling a clear story, but automated systems that evaluate them sequentially and with high confidence thresholds will often pass the email through.

CISA has repeatedly emphasized that DMARC enforcement is foundational, but the sending domain here had no DMARC record at all. That absence does not generate a block under most default configurations. It generates a note.

The payroll administrator who received this email reported it manually. That human instinct, flag this, something is off, is what triggered the investigation. Themis, IRONSCALES' autonomous AI analyst, then analyzed the reported email and confirmed the malicious infrastructure: the SendGrid redirect chain, the Carrd destination, and the CanIPhish S3 bucket used to serve the lure's visual assets.

Themis flagged the "Open in Browser" link as malicious based on infrastructure analysis. The detection leaned on behavioral and link analysis rather than waiting for a clean auth verdict, which in this case never came. The community intelligence layer adds additional signal as similar infrastructure patterns get reported across the 35,000-plus security professionals in the IRONSCALES network.

Blocking This Class of Attack Before the User Has to Report It

The CanIPhish S3 infrastructure detail is the one to operationalize. Security teams may have simulation platform domains in allowlists or reduced-scrutiny lists. If CanIPhish (or any other simulation vendor's CDN) appears as an image host in an inbound email, that is worth flagging. It is not proof of an attack. It is an anomaly that warrants a second look.

Beyond that, the defensive checklist here is not exotic:

Publish and enforce DMARC on every domain your organization uses to send email, including subdomains and third-party delivery domains. The sending domain in this attack had no DMARC record. That absence is what allowed the email to pass through without a definitive authentication failure.

Train payroll and accounts payable staff specifically on document-sharing lures. The IBM Cost of a Data Breach 2024 shows healthcare breaches average $9.77 million. Payroll credential theft is a direct path to financial fraud. The people most likely to act on a salary adjustment notification are the ones who process payroll.

Treat free-hosting platforms (Carrd, Notion, Google Sites, GitHub Pages) as elevated-risk destinations when they appear as link targets in external email, particularly when combined with SendGrid redirect chains. None of these services are inherently malicious. That is exactly why attackers use them.

The Microsoft Digital Defense Report 2024 notes that threat actors have become systematic about abusing legitimate cloud services specifically to blend into normal traffic patterns. This attack is a textbook example: SendGrid for delivery, a Microsoft tenant for the From address, a phishing simulation vendor's S3 for image hosting, and Carrd for the landing page. Every layer is "real" infrastructure. None of it belongs to the target organization.