The Procore Footer Was Real. The Document Was Not.

Five links in the email. Two pointed to Procore's legitimate support site. One pointed to ExxonMobil's corporate homepage. Link scanners evaluated all three and returned the same verdict: clean.

They were right. Those links were clean. That was the entire point.

The attacker didn't include Procore and ExxonMobil URLs because they were malicious. They included them because they were trustworthy. The real payload, a single "View Document" button, pointed somewhere else entirely: a WordPress admin-path credential harvesting page on wecarebrokerage[.]com, a domain registered in June 2023 through Tucows with no public registrant contact.

Construction Submittal Urgency, Built on Real Brand Furniture

The email arrived at an email security firm, targeting four mailboxes between March 18 and March 20, 2026. The subject line read "ATTN_Task Req on [username] Submittal DUE, RF:gVC," pulling the recipient's actual username into the urgency framing. The sender display name was a wall of automated-sounding text: "NotifyTaskorderReqNoreplydb-Ios," paired with a noreply@jaghq[.]com address.

The body impersonated a Procore construction project management notification, complete with the bold red "Your action is required" banner, a heading declaring "You have 1 overdue submittals," and a document line item reading "[Company]_Remittance Closing Revised O&M" with an "Overdue" badge in red. At the bottom sat a pixel-perfect Procore footer: the logo, support@procore.com, the Carpinteria, California office address, and a standard unsubscribe disclaimer.

None of that footer content was forged. The Procore links in the footer pointed to real Procore pages. The ExxonMobil link embedded in the body (visible as a screenshot-style brand reference) pointed to the real ExxonMobil corporate site. These weren't phishing redirects. They were trust anchors, placed deliberately so that any automated link scan would return a clean bill of health for the majority of URLs in the message.

The single link that mattered was the dark-background "View Document" button. It pointed to hxxps://wecarebrokerage[.]com/wp-admin/wps/, a WordPress admin-path endpoint configured for credential harvesting.

Amazon SES Did Exactly What the Attacker Wanted

The email was sent through Amazon SES (eu-central-1.amazonses.com), and every authentication check passed. SPF returned pass for the sending IP 69.169.224.1, which is an authorized Amazon SES relay. DKIM returned pass for both jaghq[.]com and amazonses.com. DMARC returned bestguesspass.

This is a deliberate infrastructure choice mapped to MITRE ATT&CK T1566.002 (Spearphishing Link). The attacker configured a legitimate cloud email service to handle deliverability while hosting the malicious content on separate, attacker-controlled infrastructure. The sending domain jaghq[.]com, registered since 2005 through Tucows with Cloudflare nameservers, provided domain-age credibility. The credential harvesting site wecarebrokerage[.]com sat on entirely separate infrastructure, so a reputation lookup on the sender domain would find nothing suspicious.

According to the Verizon 2024 Data Breach Investigations Report, phishing and pretexting account for the majority of social engineering breaches. What makes this case notable is not the volume or sophistication of the payload, but the architectural separation between trust-building elements (real brand links, legitimate sending infrastructure) and the attack element (a single credential harvesting URL on a different domain entirely).

Why the Malicious Link Avoided Scrutiny

The link architecture in this email was designed to exploit how automated scanners evaluate messages. Most link-scanning engines assess URLs individually. The Procore URLs returned clean. The ExxonMobil URL returned clean. Those verdicts were accurate per-link, but they created a false confidence halo around the entire message.

The credential harvesting URL (hxxps://wecarebrokerage[.]com/wp-admin/wps/) had characteristics that should raise flags on closer inspection. The domain was registered in June 2023, making it roughly three years old (old enough to avoid brand-new-domain reputation filters, young enough to be disposable). The /wp-admin/wps path mimics standard WordPress administrative endpoints, a common pattern in compromised-site credential harvesting. And the domain name itself, "wecarebrokerage," has no logical connection to a construction submittal workflow.

One variant of the link was even wrapped through Cisco's secure-web.cisco.com proxy, suggesting the attacker tested the URL through a trusted security redirector to further legitimize the destination before or during delivery.

See Your Risk: Calculate how many threats your SEG is missing

According to IBM's 2024 Cost of a Data Breach Report, stolen credentials remain the most common initial attack vector, with an average breach cost of $4.81 million. The FBI IC3 2024 Internet Crime Report recorded over $2.9 billion in BEC losses, with credential theft enabling a significant share of those compromises.

The Behavioral Signal That Link Scanning Couldn't Provide

The IRONSCALES Adaptive AI engine, Themis, flagged this message at 90% confidence. The detection was not based on link reputation. It was based on behavioral context: a first-time external sender, a high-risk sender profile, recipient-specific personalization in the subject line, and a message structure that mimicked automated platform notifications while originating from an unrelated domain.

Across 1,921 organizations in the IRONSCALES customer base, SEGs miss an average of 67.5 phishing emails per 100 mailboxes per month. Emails like this one, where the majority of embedded links are genuinely clean, are exactly the type that inflate that number. Link-level scanning returns green across the board. The behavioral anomaly is invisible to any tool that evaluates URLs in isolation.

The Microsoft Digital Defense Report 2024 documents the increasing use of legitimate cloud services and trusted brand infrastructure in phishing campaigns. This case is a textbook example. The attacker didn't need to build convincing fakes of Procore or ExxonMobil pages. Real pages served the purpose better.

What Defenders Should Take From This

Brand presence in an email does not validate the email's intent. When five out of six links in a message point to real, reputable domains, the natural assumption is that the sixth link belongs there too. Attackers design for exactly that assumption.

Three things to audit in your environment:

1. Evaluate your link scanning at the message level, not just the URL level. A message with five clean links and one credential harvesting URL is not a "mostly clean" email. It is a phishing email with camouflage.
2. Flag first-time external senders who impersonate platform notifications. Procore, DocuSign, SharePoint, and similar SaaS tools generate real notifications constantly. An attacker mimicking those templates from an unrelated domain is a high-signal behavioral anomaly that community-driven threat intelligence can catch.
3. Treat WordPress admin-path URLs in email links as inherently suspicious. Legitimate SaaS platforms do not send users to /wp-admin/ endpoints. The path alone should trigger elevated scrutiny in any URL protection policy.

The scanners did their job. They checked the links and reported what they found. The problem is that the attacker gave them exactly the links they were designed to approve.

Indicators of Compromise