Pixel-Perfect Procore Impersonation Hides Behind Three Security Gateways

A cybersecurity company's employee received a Procore submittal notification so convincing that it sailed through SPF, DKIM, and DMARC. It then threaded its payload URL through Microsoft SafeLinks, Trend Micro URL Protect, and Cisco Secure Web before depositing the victim on a compromised WordPress site running a Bill.com credential harvester. Three layers of URL security. Zero layers that caught it.

This attack, caught and auto-quarantined by IRONSCALES on March 18, 2026, represents a growing pattern: brand impersonation campaigns that weaponize trusted cloud infrastructure against the very security stack designed to stop them.

Get a Demo: See how Adaptive AI catches what gateways miss

Fake Submittals, Real Credentials

The email arrived disguised as a Procore overdue submittal notification. Procore is a widely used construction project management platform, and its submittal workflow generates thousands of legitimate time-sensitive notifications daily. The attackers knew this.

The message included the target company's name and the recipient's username directly in the body. A red "Overdue" badge sat next to a "Document Invite" line item, and a prominent blue "View Document" button urged immediate action. The preheader text read "You have an overdue submittal," priming the recipient before they even opened the email.

Every visual element matched Procore's actual notification template. The footer included Procore's real Carpinteria, California address and support email. The HTML used responsive design with dark mode support, Google Fonts (Inter, Lato, Noto Sans), and a SendGrid tracking pixel for open tracking. According to Abnormal Security's 2025 threat report, brand impersonation now accounts for more than 40% of advanced email attacks, and construction software brands are increasingly targeted because their notifications carry inherent urgency.

The visual decoy went further. Embedded screenshots showed what appeared to be legitimate Procore and ExxonMobil branded document pages, suggesting the submittal involved a major corporate project. But those images were static props. The actual click target routed somewhere else entirely.

The Three-Gateway Problem

Here is where the attack gets interesting for defenders. The "View Document" URL did not go directly to the attacker's site. Instead, it passed through a chain of three legitimate URL security gateways:

1. Microsoft SafeLinks wrapped the URL first
2. Trend Micro URL Protect wrapped it second
3. Cisco Secure Web added a third layer

Only after passing through all three proxies did the user land on wecarebrokerage[.]com/wp-admin/wps, a compromised WordPress site serving a Bill.com-branded login page.

This multi-hop architecture is not accidental. Research from Cofense's 2025 Phishing Intelligence Report documents a 67% increase in phishing campaigns that deliberately route through legitimate security proxies. Each gateway wraps the URL in its own redirect, and each redirect makes the final destination harder for downstream scanners to evaluate. The MITRE ATT&CK framework classifies this under T1566.002 (Spearphishing Link), but the proxy-chaining technique adds a layer of sophistication that basic link analysis misses.

Free Trial: Test IRONSCALES against proxy-chained phishing in your environment

Clean Authentication, Dirty Intent

The sending infrastructure was built for credibility. The email originated from jaghq[.]com, a domain registered in 2005 through Tucows with Cloudflare DNS. Twenty-one years of domain age buys significant reputation with filtering systems that weigh domain history.

The attackers routed their campaign through Amazon SES in the eu-central-1 region (IP: 69[.]169[.]224[.]1). This is T1583.001 (Acquire Infrastructure: Domains) executed with precision. Amazon SES enforces sender authentication, which means the email passed every check:

• SPF: Pass (Amazon SES is authorized to send for jaghq[.]com)
• DKIM: Pass (signed by both jaghq[.]com and amazonses[.]com)
• DMARC: Best guess pass
• CompAuth: Pass

Valimail's 2025 Email Authentication Report found that 89% of phishing emails now pass at least one authentication protocol. This attack passed all of them. Traditional secure email gateways that rely on authentication signals as primary trust indicators would have no reason to flag this message.

The landing domain, wecarebrokerage[.]com, was registered in June 2023 through Tucows. The attackers compromised a legitimate WordPress installation and planted their credential harvester in the /wp-admin/wps path (T1584.004, Compromise Infrastructure: Server). Using a real site's domain and SSL certificate makes the phishing page appear trustworthy to both users and automated URL scanners that check domain age and certificate validity.

What the Attacker Got Right (and What Caught Them)

This campaign checked nearly every box in the attacker's playbook:

• Impersonated a brand known for urgent, time-sensitive notifications (T1036, Masquerading)
• Personalized the email with the target's company name and username
• Used cloud infrastructure (Amazon SES) for clean delivery
• Passed full email authentication
• Routed the payload through three legitimate security proxies
• Hosted the harvester on a compromised site with real domain history

What the attackers did not account for was behavioral analysis. IRONSCALES Themis, the platform's Adaptive AI, flagged the message at 90% confidence with labels for Credential Theft and VIP Recipient. The sender had never contacted the organization before, and the combination of first-time sender, brand impersonation signals, and anomalous URL patterns triggered automatic resolution. Themis quarantined the email across four mailboxes between March 18 and March 20, 2026, with no human intervention required.

Community-level intelligence reinforced the verdict. Similar incidents across the IRONSCALES network had already been resolved as phishing, giving Themis high-confidence corroboration that static rule-based detection cannot replicate.

Indicators of Compromise

What Defenders Should Do This Week

Check your proxy-chain visibility. If your organization uses Microsoft SafeLinks, Trend Micro, or Cisco URL protection, verify that your email security platform can unwrap multi-layered redirects and evaluate the final destination. According to Google's Threat Analysis Group, URL proxy chains are now a standard evasion technique in targeted campaigns.

Audit Amazon SES alerts. Create detection rules for inbound emails from Amazon SES that impersonate brands your organization does not do business with. The authentication will be clean, so sender reputation alone will not catch these.

Hunt for WordPress admin path URLs. Any inbound email linking to /wp-admin/ paths on external domains is almost certainly malicious. Legitimate WordPress notifications do not route users to admin directories.

Brief your team on construction software impersonation. Procore, PlanGrid, and Bluebeam impersonation is rising because these brands generate high-urgency notifications that create click pressure. Even recipients outside the construction industry may encounter these lures if attackers cast a wide net.

Measure your gateway gap. If your current email security relies on authentication signals and URL reputation as primary defenses, this attack would likely land in your users' inboxes. The authentication was clean, the domain was aged, and the URL chain was wrapped in trusted proxies.

SEG Calculator: See how many phishing emails your gateway is missing every month