TL;DR An email displaying the name of a former U.S. senator as the sender used the address info@bluevision24[.]com, a domain registered August 2024 with WHOIS data fully redacted, to solicit political donations. The subject line 'Tomorrow' paired with 'Tomorrow is Election Day in Alabama' urgency framing. All donation CTAs routed through clicksp.bluevision24[.]com, a tracking redirector controlled by the sender. Final destinations were ActBlue donation pages. DKIM, SPF, and DMARC all passed for bluevision24.com. The impersonation indicator was behavioral: display name matched a known political figure while the envelope address belonged to an unrecognized 10-month-old privacy-shielded domain.
Severity: Medium Impersonation Social-Engineering Phishing MITRE: T1566.001 MITRE: T1656 MITRE: T1598
The display name showed the name of a former U.S. senator from Alabama. The sending address was info@bluevision24[.]com. The domain was 10 months old, WHOIS data fully redacted. Every authentication check passed. And the ask was financial.
This is what display-name spoofing looks like when it targets a recipient's political identity rather than their workplace credentials. The mechanism is the same as any other display-name attack (a trusted name in the visible portion of the From header, an unrelated sending domain underneath it) but the social-engineering lever is urgency around a civic event rather than an expired password or a pending invoice.
The impersonated public figure is a former U.S. Senator from Alabama. He did not send this email. The email was sent by whoever controls bluevision24[.]com, using a display name that would be immediately recognizable to anyone familiar with Alabama politics.
The Domain Behind the Display Name
bluevision24[.]com was registered on August 29, 2024, approximately 10 months before this email was analyzed, via GoDaddy, with registrant details redacted under WHOIS privacy protection. The domain's mail was sent through SparkPost (mta-70-63-194.sparkpostmail[.]com, IP 156[.]70[.]63[.]194), a commercial email delivery provider. The Return-Path pointed to bouncesp.bluevision24[.]com. DKIM passed for header.d=bluevision24[.]com. SPF passed for the SparkPost sending IP. DMARC passed for header.from=bluevision24[.]com.
This is the authentication paradox that makes display-name impersonation so effective against gateway-layer defenses. The domain passes every check because the checks validate the domain, and the domain is real. It was set up precisely to pass them. What the checks do not evaluate is whether "bluevision24.com" has any relationship to the impersonated senator, or whether displaying that name in the From field is an accurate representation of who is actually communicating.
MITRE ATT&CK T1656 (impersonation) covers identity fraud techniques where attackers pose as a trusted entity to influence victim behavior. T1566.001 covers the spearphishing-via-link delivery vector, which applies here because the entire financial CTA chain runs through operator-controlled redirectors. The CISA phishing guidance explicitly identifies display-name mismatch with a sending address as a primary indicator to check before acting on any financial or sensitive request.
Urgency Engineering: "Tomorrow Is Election Day"
The subject line was a single word: "Tomorrow." The body opened with "Tomorrow is Election Day in Alabama," an explicit deadline that compresses the decision window to hours. Multiple donation CTAs followed in descending amounts ($5, $10, $50, $100, OTHER AMOUNT), with a secondary ask to split the donation between two recipients. The salutation addressed the recipient by first name, sourced from a targeted mailing list, adding personalization that reinforces the sense of a direct, individual outreach.
This is social engineering optimized for political context. Donation solicitations tied to deadlines are a standard tactic in legitimate campaign fundraising, which is precisely why they work as phishing lures. A recipient who is already predisposed to support a particular candidate, or who receives political fundraising emails regularly, has a calibrated expectation for this format. The email exploits that calibration by making itself indistinguishable from a real campaign communication until the recipient stops to examine the sending address.
The footer included a disclosure line: "Paid for by Blue Vision and not authorized by any candidate or candidate's committee." That language suggests the operator may have structured this as a PAC solicitation rather than a candidate campaign email, a distinction that, from a legal standpoint, may matter but does not reduce the impersonation risk to recipients who see a prominent political name in the From field and assume the message reflects an actual campaign.
See Your Risk: Calculate how many threats your SEG is missing
The Redirector Layer
Every donation CTA and most image links in the email routed through clicksp.bluevision24[.]com before reaching the final destination. That redirector CNAMEs to bluevision-r0s.splink.emaildeputy.com, a commercial email-redirect service. The final destinations were ActBlue donation pages (secure.actblue.com) configured for a campaign identifier referencing "bv_djones."
ActBlue is a legitimate political donation processor. Its presence at the end of the redirect chain does not sanitize the path to it. The operator's redirector sits between the recipient's click and the donation page, giving the operator visibility into who clicked, when, and which CTA, and the ability to update link destinations without sending a new message. Using ActBlue as the terminal endpoint adds a trust signal that a recipient might recognize from legitimate campaign emails, which is the point.
IRONSCALES detected this campaign through behavioral indicators: exact display-name match against a known public figure from a first-time sender domain registered under privacy protection, all CTAs funneled through an operator-controlled redirector on that same domain, and Election Day urgency framing driving toward financial action. The combination of low-assurance domain age, WHOIS opacity, public-figure identity claim, and financial CTA is the fingerprint of a social-engineering financial fraud campaign, regardless of whether individual links point to a legitimate payment processor.
Adaptive AI running on the IRONSCALES platform evaluates sender domain age and registration patterns alongside display-name identity claims, applying cross-signal analysis that catches the gap between what a message says it is and what its infrastructure actually shows. That gap (a well-known name on a 10-month-old privacy-shielded domain) is what authentication protocols are not designed to detect and what behavioral analysis is specifically built to surface.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sending domain | bluevision24[.]com | Registered 2024-08-29; WHOIS redacted; GoDaddy registrar |
| Sender address | info[@]bluevision24[.]com | Spoofed the display name of a former U.S. senator (public figure) |
| Redirector domain | clicksp.bluevision24[.]com | Operator-controlled click-tracking redirector; CNAMEs to emaildeputy.com |
| Return-Path | bouncesp.bluevision24[.]com | SparkPost bounce handler for bluevision24.com |
| Sending infrastructure | mta-70-63-194.sparkpostmail[.]com | SparkPost commercial delivery; IP 156[.]70[.]63[.]194 |
| Impersonation target | a former U.S. senator (Alabama) | Did not send this email; name used as display name without authorization |
| Authentication | DKIM pass, SPF pass, DMARC pass | Valid for bluevision24.com; does not validate display-name identity claim |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
