A cybersecurity company's employee received a Procore submittal notification so convincing that it sailed through SPF, DKIM, and DMARC. It then threaded its payload URL through Microsoft SafeLinks, Trend Micro URL Protect, and Cisco Secure Web before depositing the victim on a compromised WordPress site running a Bill.com credential harvester. Three layers of URL security. Zero layers that caught it.
This attack, caught and auto-quarantined by IRONSCALES on March 18, 2026, represents a growing pattern: brand impersonation campaigns that weaponize trusted cloud infrastructure against the very security stack designed to stop them.
Get a Demo: See how Adaptive AI catches what gateways miss
The email arrived disguised as a Procore overdue submittal notification. Procore is a widely used construction project management platform, and its submittal workflow generates thousands of legitimate time-sensitive notifications daily. The attackers knew this.
The message included the target company's name and the recipient's username directly in the body. A red "Overdue" badge sat next to a "Document Invite" line item, and a prominent blue "View Document" button urged immediate action. The preheader text read "You have an overdue submittal," priming the recipient before they even opened the email.
Every visual element matched Procore's actual notification template. The footer included Procore's real Carpinteria, California address and support email. The HTML used responsive design with dark mode support, Google Fonts (Inter, Lato, Noto Sans), and a SendGrid tracking pixel for open tracking. According to Abnormal Security's 2025 threat report, brand impersonation now accounts for more than 40% of advanced email attacks, and construction software brands are increasingly targeted because their notifications carry inherent urgency.
The visual decoy went further. Embedded screenshots showed what appeared to be legitimate Procore and ExxonMobil branded document pages, suggesting the submittal involved a major corporate project. But those images were static props. The actual click target routed somewhere else entirely.
Here is where the attack gets interesting for defenders. The "View Document" URL did not go directly to the attacker's site. Instead, it passed through a chain of three legitimate URL security gateways:
Only after passing through all three proxies did the user land on wecarebrokerage[.]com/wp-admin/wps, a compromised WordPress site serving a Bill.com-branded login page.
This multi-hop architecture is not accidental. Research from Cofense's 2025 Phishing Intelligence Report documents a 67% increase in phishing campaigns that deliberately route through legitimate security proxies. Each gateway wraps the URL in its own redirect, and each redirect makes the final destination harder for downstream scanners to evaluate. The MITRE ATT&CK framework classifies this under T1566.002 (Spearphishing Link), but the proxy-chaining technique adds a layer of sophistication that basic link analysis misses.
Free Trial: Test IRONSCALES against proxy-chained phishing in your environment
The sending infrastructure was built for credibility. The email originated from jaghq[.]com, a domain registered in 2005 through Tucows with Cloudflare DNS. Twenty-one years of domain age buys significant reputation with filtering systems that weigh domain history.
The attackers routed their campaign through Amazon SES in the eu-central-1 region (IP: 69[.]169[.]224[.]1). This is T1583.001 (Acquire Infrastructure: Domains) executed with precision. Amazon SES enforces sender authentication, which means the email passed every check:
Valimail's 2025 Email Authentication Report found that 89% of phishing emails now pass at least one authentication protocol. This attack passed all of them. Traditional secure email gateways that rely on authentication signals as primary trust indicators would have no reason to flag this message.
The landing domain, wecarebrokerage[.]com, was registered in June 2023 through Tucows. The attackers compromised a legitimate WordPress installation and planted their credential harvester in the /wp-admin/wps path (T1584.004, Compromise Infrastructure: Server). Using a real site's domain and SSL certificate makes the phishing page appear trustworthy to both users and automated URL scanners that check domain age and certificate validity.
This campaign checked nearly every box in the attacker's playbook:
What the attackers did not account for was behavioral analysis. IRONSCALES Themis, the platform's Adaptive AI, flagged the message at 90% confidence with labels for Credential Theft and VIP Recipient. The sender had never contacted the organization before, and the combination of first-time sender, brand impersonation signals, and anomalous URL patterns triggered automatic resolution. Themis quarantined the email across four mailboxes between March 18 and March 20, 2026, with no human intervention required.
Community-level intelligence reinforced the verdict. Similar incidents across the IRONSCALES network had already been resolved as phishing, giving Themis high-confidence corroboration that static rule-based detection cannot replicate.
| Type | Value | Context |
|---|---|---|
| Domain | jaghq[.]com | Sending domain (registered 2005-09-19, Tucows/Cloudflare) |
| Domain | wecarebrokerage[.]com | Credential harvesting site, compromised WordPress (registered 2023-06-04, Tucows) |
| IP | 69[.]169[.]224[.]1 | Amazon SES sending IP (eu-central-1) |
| URL Path | /wp-admin/wps | WordPress admin path hosting Bill.com credential harvester |
| noreply@jaghq[.]com | Sender address |
Check your proxy-chain visibility. If your organization uses Microsoft SafeLinks, Trend Micro, or Cisco URL protection, verify that your email security platform can unwrap multi-layered redirects and evaluate the final destination. According to Google's Threat Analysis Group, URL proxy chains are now a standard evasion technique in targeted campaigns.
Audit Amazon SES alerts. Create detection rules for inbound emails from Amazon SES that impersonate brands your organization does not do business with. The authentication will be clean, so sender reputation alone will not catch these.
Hunt for WordPress admin path URLs. Any inbound email linking to /wp-admin/ paths on external domains is almost certainly malicious. Legitimate WordPress notifications do not route users to admin directories.
Brief your team on construction software impersonation. Procore, PlanGrid, and Bluebeam impersonation is rising because these brands generate high-urgency notifications that create click pressure. Even recipients outside the construction industry may encounter these lures if attackers cast a wide net.
Measure your gateway gap. If your current email security relies on authentication signals and URL reputation as primary defenses, this attack would likely land in your users' inboxes. The authentication was clean, the domain was aged, and the URL chain was wrapped in trusted proxies.
SEG Calculator: See how many phishing emails your gateway is missing every month