The button in this email read "Check Bidding Document." What it actually contained, character by character, was a string of visible letters with zero-width Unicode characters inserted between every one of them, invisible to the human eye but enough to break the text-pattern checks that most gateway scanners run against known-malicious phrases.
A mid-size professional services firm received an email styled as a Procom staffing notification. The subject line referenced a document submission amendment keyed to an internal-looking identifier. The body greeted the recipient by username and presented a single prominent call to action framed as a procurement task: review a bidding document tied to a pending submission. The footer displayed "© 2026 Procom" with Procom's visual branding. The message arrived from notification@zeft[.]in, a domain with no prior correspondence history with the recipient organization and no public WHOIS record. A secondary reference to info@soslabour[.]com appeared in the mailbox display.
This is impersonation at its most practical: take a staffing brand that recipients are conditioned to act on, pair it with an unverifiable sending domain, and build in enough obfuscation to slide past automated detection.
The message was injected into Amazon SES at a3-29.smtp-out.eu-west-1.amazonses.com (IP 54.240.3.29) on the EU West 1 endpoint. SPF passed for the SES IP. DKIM signatures verified for both zeft[.]in and amazonses.com. DMARC returned bestguesspass with an action of none, meaning no enforcement was applied even under the best-case interpretation of alignment.
The DMARC configuration on zeft[.]in was set to p=none, which is the standard starting posture for a domain owner who has configured DMARC reporting but not yet enabled enforcement. For an attacker-controlled domain, p=none means the delivery path is frictionless: even if a downstream gateway detected DMARC misalignment, no quarantine or reject action would follow.
Amazon SES is a legitimate bulk-mail platform used by thousands of organizations. Reputation feeds do not flag SES IPs as malicious. When a gateway checks the relay, it sees a major cloud provider, a signed message, and a passing SPF record. ESP abuse, using legitimate email service providers to inherit delivery reputation, is one of the primary reasons authentication signals alone cannot determine whether a message is safe.
Microsoft's anti-spam engine still scored this message at SCL:5 / SFV:SPM, flagging it as likely spam. That flag did not prevent inbox delivery on its own.
See Your Risk: Calculate how many threats your SEG is missing
The primary call-to-action button displayed the text "Check Bidding Document." The underlying HTML character sequence inserted U+200D (zero-width joiner) characters between every letter in the phrase. The visible rendering was identical to the unobfuscated string. A human reading the email saw a normal button label. A scanner performing string-equality matching against a known-phrase blocklist would compare a fundamentally different byte sequence and find no match.
This is MITRE ATT&CK T1027 (obfuscated files or information) applied to social-engineering content rather than to malware or scripts. The technique is not sophisticated in terms of engineering effort (inserting zero-width characters into HTML is a trivial one-liner) but it is effective against signature-based text analysis because it targets the matching layer, not the rendering layer.
Alongside the obfuscated CTA, the email body contained mixed template artifacts: some copy referenced account security while the visible button referenced a bidding document. Multiple tracking redirect links pointed to url2764.procom[.]digital, an intermediate hop that presented clean verdicts in isolation but routed toward the malicious final destination.
The CTA href resolved through a redirect chain and terminated at hxxps://reliablebackgroundverification[.]com/white. The detection system flagged this domain as malicious (verdict: malicious, element ID 624289451). The domain name was constructed to appear legitimate in a background-check or staffing context: "reliable background verification" reads as a plausible vendor name, and the /white path suffix adds specificity that implies a legitimate landing resource.
The display links in the email pointed to hxxps://app.procom[.]digital/app/profile and hxxps://app.procom[.]digital/auth/login, both clean-verdict Procom application endpoints. The actual click path used tracking hops on url2764.procom[.]digital before routing to the malicious domain. This display-href mismatch is the standard phishing construction: show a trusted URL to the reader, route the click somewhere else.
Credential harvesting via malicious landing pages frequently relies on this redirect construction because it passes the visible-link inspection step that many users and some scanners perform. The malicious domain only appears in the actual HTTP request, not in the rendered anchor text.
MITRE ATT&CK T1566.001 (spearphishing link) covers the primary delivery mechanism. T1656 (impersonation) captures the Procom brand clone throughout the email body, template, and footer.
IRONSCALES detected the combination of first-time sender status, a high-risk sender signal on zeft[.]in, the display-versus-envelope domain mismatch, and the malicious CTA destination verdict. No single signal was conclusive in isolation; the behavioral cluster was.
| Type | Indicator | Context |
|---|---|---|
| Malicious URL | hxxps://reliablebackgroundverification[.]com/white | CTA destination; flagged malicious by detection system |
| Sender address | notification[@]zeft[.]in | First-time sender; no public WHOIS; Amazon SES delivery |
| Display reference | info[@]soslabour[.]com | Secondary display address; unrelated to Procom |
| Redirect domain | url2764.procom[.]digital | Intermediate tracking hop in CTA redirect chain |
| Sending IP | 54[.]240[.]3[.]29 | Amazon SES EU West 1 |
| Obfuscation | Zero-width joiners (U+200D) between CTA button letters | Breaks text-pattern matching on button label |
| DMARC | p=none on zeft[.]in | No enforcement; bestguesspass action |
| Attack | What happened |
|---|---|
| The Phishing Link Lived on a Domain That Didn't Exist Nine Hours Earlier | A compromised university student account sent a phishing email that passed SPF, DKIM, and DMARC. |
| The Health Spending Account Alert That Rode a Benefits Administrator's Own Infrastructure | An Anthem-branded spending account notification routed through a legitimate benefits administrator's redirect infrastructure. |
| How ARC Re-Signing and an IP Allow-List Turned Three Authentication Failures Into SCL -1 | A phishing email claiming to be a OneDrive share from an outlook.com address originated from a county government mail server. |
| SafeLinks Wrapped the Phishing URL With the Recipient's Name on It | Microsoft SafeLinks rewrote a phishing URL and embedded the recipient's email address into the redirect chain. |
| The GitLab Alert That Passed Every Filter (Except One Detail Nobody Checked) | A GitLab sign-in alert cleared Proofpoint URL Defense and passed SPF/DMARC — then listed a private RFC1918 IP as the sign-in source. |