The email arrived on a Monday afternoon and looked exactly like a routine transaction. Progressive Insurance logo at the top. A yellow action banner: "Action required! See below for details." A bolded heading, "New document for your review," followed by an attention line addressed directly to the organization. Below that, a structured claim block listing a claim number, a loss date, and a loss state. Then a large blue button: "View document."
For a claims processing coordinator at a healthcare revenue cycle firm, this was background noise. Insurance claim updates come in constantly. The formatting was right. The branding was right. The claim number was specific. The email looked indistinguishable from hundreds of legitimate Progressive communications received before it.
The problem, from a detection standpoint, is that the email was sent through Progressive's actual Salesforce Marketing Cloud instance. IBM's 2024 Cost of a Data Breach Report found that phishing-initiated breaches cost an average of $4.88 million, with credential theft via portal redirect among the hardest categories to detect because the attack surface is behavioral, not infrastructural. The Verizon 2024 DBIR similarly notes that attacks abusing legitimate platforms produce the lowest detection rates precisely because there is no infrastructure anomaly to flag.
The sending IP, 68.232.203.130, belongs to mta2.e.progressive.com. SPF passed: that IP is an authorized sender for bounce.e.progressive.com. DKIM produced two valid signatures, one from e.progressive.com and one from s6.y.mc.salesforce.com (Salesforce Marketing Cloud Stack 6, co-signing as Progressive's authorized email service provider). DMARC passed with action=none. Microsoft's composite authentication score came back 100. Every automated link scanner that examined the URLs in the email returned a clean verdict.
The infrastructure was not spoofed. The authentication was not forged. The email traveled from Progressive's marketing stack, through Microsoft 365's inbound processing, and landed in the inbox with a clean bill of health from every gate it passed through.
This is what legitimate-infrastructure abuse looks like at the delivery layer: invisible.
The body was built from Progressive's real transactional template, Claims_Communication_Library_10.0 (the template identifier is visible in the email footer code). The claim metadata embedded in the message (claim number, loss date, loss state) gave it an air of specificity that reinforced legitimacy. The Attention line named the recipient organization directly.
The primary call to action, the blue "View document" button, pointed to click.e.progressive.com, a Progressive tracking redirect domain. From there it chained to account.apps.progressive.com/access/claim/communication-library?communicationId=DA38643A-9F30-4735-ADB4-315647039E71.
That destination is a portal. A portal that requires authentication to access claim documents.
The attack pattern here is not a malicious payload in the traditional sense. There is no malware link, no lookalike domain, no attachment with macros. The goal is to get a recipient to a login page under conditions of urgency ("action required," a specific claim number, a pending document) where they will enter credentials without thinking carefully about whether they should. The portal redirect flow is the mechanism. The Progressive branding and legitimate sending infrastructure are the cover.
Whether the attacker had access to Progressive's Marketing Cloud account, had obtained a valid customer email as a template, or was exploiting some other form of platform access, the result was the same: a credential-harvesting attempt wrapped in a brand that passes every authentication test by design.
See Your Risk: Calculate how many threats your SEG is missing
Themis flagged this email at 81% confidence for credential theft. No authentication failure contributed to that score. The infrastructure was clean. The links were clean. The verdict came from behavioral and contextual analysis.
The click-to-authenticate flow is a known phishing pattern: send an email, create urgency, route to a login page. Themis recognizes this pattern even when the sending infrastructure is legitimate. The mismatch between the claimed action (reviewing a document) and the required next step (authenticating to a portal) is a behavioral signal that does not depend on whether the email passed SPF or DKIM.
The email was initially reported to the SOC by the recipient, who flagged it as suspicious. The recipient's instinct was right. The system reverted the email. But the Themis flag had already been raised before that human report came in.
Worth noting: the incident was briefly marked "False Positive" at one point, reflecting the confusion that authentically-sent, fully-authenticated phishing creates for human reviewers. When everything checks out on the infrastructure side, the tendency is to assume the email is legitimate. That assumption is exactly what this attack was designed to exploit.
The Microsoft Digital Defense Report 2024 notes that attackers are increasingly abusing legitimate cloud platforms and marketing tools to deliver phishing at scale, specifically because those platforms carry authentication credentials that defeat perimeter filtering. CISA advisories consistently flag portal redirect credential theft as a high-priority pattern for organizations in regulated industries, including healthcare.
Detection strategies that treat sender authentication as a trust signal have a fundamental problem with this class of attack. SPF, DKIM, and DMARC were designed to verify that an email came from where it claims to come from. They were not designed to verify that the email's intent is benign. When an attacker gains access to or abuses a trusted brand's marketing platform, the authentication checks pass because the infrastructure is genuinely authorized. The email is, technically, from Progressive.
This is documented in the MITRE ATT&CK framework under T1566.002 (Spearphishing Link) and T1598.003 (Spearphishing Link for credential access). The technique does not require authentication bypass because it does not attempt authentication bypass. It uses legitimate infrastructure as the delivery mechanism.
For security teams, the implication is direct: a clean authentication result cannot be treated as a clean bill of health. Behavioral signals (redirect chains leading to portal logins, urgency framing, click-to-authenticate patterns) have to carry weight in the detection stack even when the envelope is spotless.
| Type | Indicator | Context |
|---|---|---|
| Sending IP | 68[.]232[.]203[.]130 |
Authorized IP for mta2.e.progressive.com, Progressive's marketing MTA |
| Sending domain | e[.]progressive[.]com |
Progressive's email subdomain; legitimate but abused in this incident |
| DKIM signer | s6[.]y[.]mc[.]salesforce[.]com |
Salesforce Marketing Cloud Stack 6 co-signing key |
| Redirect domain | click[.]e[.]progressive[.]com |
Progressive's tracking/redirect infrastructure |
| Destination | account[.]apps[.]progressive[.]com |
Progressive customer portal requiring authentication |
| Communication ID | DA38643A-9F30-4735-ADB4-315647039E71 |
Unique identifier embedded in portal destination URL |
| Subject line | New document for your review. ✅ |
With checkmark emoji; urgency framing |
| Envelope from | bounce-447_HTML-455875940-683189-7000841-1339338@bounce.e.progressive.com |
Salesforce MC job ID structure visible in bounce address |
| Template identifier | Claims_Communication_Library_10.0 |
Progressive's real transactional template name, visible in email footer |
The authentication infrastructure in this email is Progressive's. None of the sending domains or IPs should be blocklisted in isolation. They serve legitimate Progressive customer communications at scale. The IOCs that matter for detection are behavioral: the redirect-to-portal flow, the urgency framing against a claims action, and the mismatch between the email's claimed purpose and its actual destination.