A Portuguese-language email arrived from lawrenceruiz041@hotmail[.]com requesting payment on invoice NF 2678. The message stated that the previously communicated amount had been corrected and that the updated amount was now due. The due date was the same day the email was sent.
SPF passed. DKIM passed. DMARC passed. The email was sent through legitimate Hotmail infrastructure, and every authentication check confirmed that the message originated from an authorized Microsoft server.
The Reply-To header was set to gearardtrentnt5vyux@hotmail[.]com, a different address from the sender. Any reply to this email would be silently routed to the Reply-To address rather than the apparent sender. The Reply-To address follows a pattern common to throwaway accounts: a name fragment combined with random characters.
The email contained no links, no attachments, and no embedded images. The entire payload was text. The sending entity referenced in the email body could not be verified through Portuguese business registries or commercial databases.
Text-only invoice fraud is one of the most difficult attack types for automated security systems to detect. There is no URL to scan, no file to sandbox, and no embedded content to analyze. The email authentication stack confirms that the message came from Hotmail, which it did. Every technical indicator is clean.
The Reply-To mismatch is the primary technical signal. When the From address and Reply-To address differ, it means the attacker wants responses directed to a different mailbox. In a legitimate business context, this is unusual. Vendors sending invoices want replies to come back to the same address. The mismatch is a silent diversion that most recipients will never notice because email clients display the From address, not the Reply-To, in the inbox view.
The same-day due date applies maximum urgency pressure. Combined with the corrected amount framing, the email creates a scenario where the recipient believes they have already been invoiced, the amount has changed, and payment is overdue the moment they read the message. This combination is designed to bypass the normal verification workflow that gateway-only security cannot replicate.
The Portuguese language targets a specific recipient demographic and reduces the likelihood that English-language-focused security teams will manually review the message content.
Adaptive AI email security identified the Reply-To mismatch as the primary risk signal and combined it with the consumer email provider origin, unverifiable sender entity, and same-day payment urgency to classify the message as HIGH risk. The absence of any prior communication from this sender to the target organization reinforced the behavioral assessment.
Community intelligence confirmed that similar Portuguese-language invoice fraud emails with the same Reply-To pattern were reaching multiple organizations across the IRONSCALES network.
See Your Risk. Run a free phishing simulation to discover whether text-only invoice fraud would reach your finance team today.
| Indicator | Type | Value |
|---|---|---|
| Case ID | Internal | 46941b41cf8c6a1496c048e3d995943a |
| Sender Email | lawrenceruiz041@hotmail[.]com | |
| Reply-To Email | gearardtrentnt5vyux@hotmail[.]com | |
| Invoice Reference | Financial | NF 2678 |
| Language | Content | Portuguese |
| Due Date | Urgency | Same-day |
| Payload | Content | Text-only (no links, no attachments) |
| Company | Identity | Unverifiable |
| SPF | Authentication | pass |
| DKIM | Authentication | pass |
| DMARC | Authentication | pass |
| Tactic | Technique | ID | Notes |
|---|---|---|---|
| Initial Access | Phishing | T1566 | Text-only invoice fraud, no payload |
| Resource Development | Establish Accounts: Email Accounts | T1585.002 | Throwaway Hotmail accounts for sender and Reply-To |
| Defense Evasion | Masquerading | T1036 | Reply-To diversion to separate mailbox |
| Impact | Financial Theft | T1657 | Same-day due date payment demand |