Five malicious links. All of them wrapped in a major email security vendor's URL Defense rewriting service. All of them tucked inside a real, ongoing B2B email thread about industrial pipe fittings samples. SPF passed. The sender domain had been registered since the year 2000. Four mailboxes were quarantined.
This is what vendor email compromise looks like when the attacker's best obfuscation tool is a security product.
The email arrived as a reply in an active thread between an industrial components manufacturer and a longtime metal-fabrication supplier. The subject line referenced pipe extension samples and a 2" NPT threaded coupling. The thread included prior messages in both English and Spanish, complete with professional signatures, phone numbers, and corporate logos. The external sender warning banner was present, but the conversation itself had been going on for days.
The latest reply came from a sales alias at the supplier's domain. The body was brief: a short question about fitting a sample into a cabinet hole. No urgency language, no payment demands, no credential requests. To any recipient scanning the message, this looked like a routine manufacturing follow-up.
That was the point.
Embedded in the message were five distinct URLs using the url[.]emailprotection[.]link domain, which belongs to Proofpoint URL Defense rewriting service. When an organization deploys Proofpoint URL Defense on its outbound mail, every link in every message is automatically rewritten into an opaque, tokenized redirect. The intent is to allow click-time scanning. The effect, in this case, was that five malicious destinations were laundered behind a domain that both humans and automated scanners associate with legitimate security infrastructure.
Four of the five malicious links had empty display text, making them invisible to anyone reading the email normally. The fifth was displayed as the word "here." at the bottom of the message, a classic low-friction lure positioned where a privacy notice or footer link would typically appear.
According to the FBI IC3 2024 Internet Crime Report, business email compromise caused over $2.9 billion in reported losses. Attacks that leverage existing supplier relationships and trusted infrastructure represent the fastest-growing segment of that figure.
The email's authentication results tell a story that security teams see with increasing frequency in VEC cases.
SPF: Pass. The sending IP (64[.]78[.]48[.]227) was explicitly listed in the supplier domain's SPF record, which authorizes a broad /18 CIDR block across its hosting provider.
DKIM: Absent. No signature was present in the headers. The supplier domain published no DKIM selector that the receiving infrastructure could validate against.
DMARC: bestguesspass. The domain publishes p=none, meaning even a DMARC failure would result in no enforcement action. The receiving mail transfer agent inferred a pass based on SPF alignment alone.
compauth: Pass (reason code 109, meaning SPF-only alignment without DKIM).
This authentication profile is common among small and mid-size manufacturers. The domain's WHOIS record shows creation in February 2000, and DNSSEC is unsigned. The infrastructure is legitimate, well-established, and configured with just enough email authentication to pass basic checks while leaving the door open for abuse.
The Microsoft Digital Defense Report 2024 notes that threat actors increasingly target organizations with permissive DMARC policies specifically because compromised accounts on those domains produce fully authenticated messages.
See Your Risk: Calculate how many threats your SEG is missing
Traditional secure email gateways evaluate messages at the perimeter using a combination of sender reputation, authentication results, and static content rules. This email defeated all three layers.
Sender reputation was clean. The domain is 25 years old, actively used for legitimate business correspondence, and had no prior abuse history. The sending IP resolved to a known mail relay within the supplier's hosting provider.
Authentication passed at every checkpoint. SPF aligned. DMARC did not enforce. The message was accepted, stamped SCL=1 (low spam confidence), and delivered to the inbox.
Content analysis found nothing actionable. The body text was a single benign sentence about a pipe fitting sample. No credential requests, no payment instructions, no urgency triggers. Cisco Talos (IronPort) scored the message as LEGIT with a spam score of zero.
The malicious payload lived entirely in the URL layer, and the URLs themselves were wrapped in a security vendor's redirect domain. This is the VEC playbook refined to its most effective form: compromise a trusted account, reply within an existing thread, and let the victim's own security stack validate the message on arrival.
The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element, with phishing and pretexting as the top social engineering vectors. Thread hijacking collapses the trust verification step entirely because the recipient is already engaged in the conversation.
| Technique | ID | Application |
|---|---|---|
| Spearphishing Link | T1566.002 | Five malicious url[.]emailprotection[.]link redirects embedded in message |
| Trusted Relationship | T1199 | Exploited active supplier relationship and existing email thread |
| Valid Accounts | T1078 | Compromised supplier email account with full SPF authorization |
| User Execution: Malicious Link | T1204.001 | "here." display text lure positioned as footer link |
| Type | Value | Context |
|---|---|---|
| Sender Domain | carichardson[.]com | Compromised supplier (est. 2000) |
| Sending IP | 64[.]78[.]48[.]227 | Authorized mail relay, SPF pass |
| Originating IP | 96[.]230[.]102[.]31 | Client submission IP (x-originating-ip header) |
| Redirect Domain | url[.]emailprotection[.]link | Proofpoint URL Defense wrapper (5 malicious instances) |
| Malicious Link (sample) | hxxps://url[.]emailprotection[.]link/?bH1bmLuRP-9egfczNVLB6hb63GrVthrlQktmbLWCdnlWW_85hK[...] | Tokenized redirect, verdict: malicious |
| Display Text Lure | "here." | Only visible malicious link anchor in message body |
| Auth Result | SPF=pass, DKIM=none, DMARC=bestguesspass, compauth=pass | Full authentication pass on compromised account |
This attack succeeded at the gateway because every traditional trust signal confirmed the message was safe. The domain was old and reputable. The authentication passed. The body was clean. The URLs were wrapped in a security vendor's own protection layer.
IRONSCALES AI-powered analysis identified the malicious link verdicts across all five redirect chains and quarantined four affected mailboxes within three minutes. The detection was driven by real-time URL verdict analysis rather than sender reputation or authentication signals, both of which were clean.
The lesson for security teams is structural. URL rewriting services are designed to protect recipients at click time, but when the compromised sender's organization deploys these services on outbound mail, the rewriting happens before the message leaves. The attacker benefits from the obfuscation without ever interacting with the security product directly.
Organizations evaluating their email security stack should verify that their detection capability extends beyond URL domain reputation to include real-time behavioral analysis of redirect chains, even when those chains originate from trusted security infrastructure. According to CISA advisory guidance, supply chain email compromise is a top-tier threat vector requiring layered, AI-driven detection that operates independently of sender authentication results.