The ESP Passed SPF, DKIM, and DMARC. The Shortener Hid Where the Link Actually Went.

TL;DR Attackers embedded two did[.]li link-shortener URLs inside a Hebrew-language marketing campaign delivered through the legitimate Pulseem ESP. The message passed SPF, DKIM, and DMARC because the authentication verified Pulseem's sending infrastructure, not the payload. Both shorteners resolved to attacker-influenced destinations including a credential-harvesting union-benefits login portal. IRONSCALES flagged the shortened links via scanner verdicts and behavioral analysis despite a flawless authentication record.
Severity: High Credential Harvesting Esp Abuse Link Shortener Obfuscation MITRE: T1566 MITRE: T1566.002 MITRE: T1598.003

SPF passed. DKIM passed. DMARC passed. The message arrived looking exactly like a routine Hebrew-language marketing blast from a union member-benefits program. Nestled inside were two did[.]li link-shortener URLs. Both resolved to attacker-influenced destinations. Neither was visible to the reputation filters that had just cleared the message.

That gap -- authentication covers the carrier, not the cargo -- is what this campaign exploited.

See Your Risk: Calculate how many threats your Secure Email Gateway (SEG) is missing right now

What Passed Every Authentication Check

The message was delivered through Pulseem, a commercial email service provider operating via youlinktv[.]com infrastructure. The sending host was mailbu[.]youlinktv[.]com at IP 62.219.80[.]123, routed through Microsoft Office 365 frontends before reaching inboxes at a large maritime shipping and logistics company. The authentication record was clean on every dimension:

  • SPF: Pass -- 62.219.80[.]123 was an authorized sender for the bounce domain
  • DKIM: Pass -- two valid signatures, one under youlinktv[.]com and one under the brand's own domain
  • DMARC: Pass -- header.from aligned with a domain that had a valid DMARC record

For any email security gateway relying on these three signals to triage inbound mail, this message was clean. Compauth passed. Spam confidence score registered as benign. The message content -- the part containing the actual threat -- never entered that evaluation.

According to the Verizon 2026 Data Breach Investigations Report, phishing remains the initial access vector in the majority of credential-theft incidents, with 39% of breaches tracing back to stolen credentials (Verizon DBIR 2026). Campaigns that clear authentication by design -- rather than by accident -- represent the leading edge of that threat.

The Campaign Structure: Legitimate Links as Cover

The email body was a well-formatted HTML marketing message in Hebrew, consistent with a genuine promotional campaign from a union member-benefits club. Subject lines, branding, and layout matched what a real marketing blast from this type of sender would look like. The campaign even carried proper List-Unsubscribe headers and tracking metadata, including a UTM string (zarchanut21122025b) that tied the sends to a named batch.

This is deliberate. When a phishing message mixes 30 clean links with two malicious ones, automated scanners face a signal-to-noise problem. The legitimate links in this campaign included product pages on recognized retail and membership platforms, social media profiles, YouTube content, and WhatsApp channels. All scanned clean. The Pulseem redirect links (pulseem[.]com/Pulseem/Home/LinkRedirect.axd) were also clean. The attack surface was exactly two URLs.

Those two URLs were did[.]li/sWXIw and did[.]li/kRFx5.

How the Shortener Hid the Payload

did[.]li is a commercial link-shortening service. Used legitimately, it allows marketers to create shortened or branded redirect URLs. Used in this campaign, it severed the visible link from the actual destination, defeating any scanner that checked only the top-level domain without following the redirect chain.

The full URLs carried UTM parameters that confirmed they were part of the same named campaign batch:

`` hxxps://did[.]li/sWXIw?utm_campaign=zarchanut21122025b&utm_medium=Email&utm_source=[...] hxxps://did[.]li/kRFx5?utm_campaign=zarchanut21122025b&utm_medium=Email&utm_source=[...] ``

Following did[.]li/sWXIw resolved to a union member-benefits portal login page prompting visitors to enter a national identification number to authenticate. A national ID number is a high-value credential that enables account takeover, identity fraud, and further downstream access. The page presented a visually credible registration interface with form fields, a prominent call-to-action, and member-benefit copy. Credential harvesting via imitation of a trusted portal is one of the most effective social-engineering techniques precisely because the visual context matches what victims expect. This maps to MITRE ATT&CK T1566.002: Phishing via Spearphishing Link.

The second shortener, did[.]li/kRFx5, resolved to a YouTube channel page. Both URLs received explicit malicious verdicts from IRONSCALES link scanners with screenshots captured. Whether the second link was intended as a tracking pivot, engagement decoy, or secondary redirect that had not yet been armed at scan time, the scanner verdict was unambiguous: malicious.

This is the core detection gap the campaign was designed to exploit. A gateway that resolves did[.]li and finds a YouTube page at scan time may return a clean verdict. A gateway that evaluates only the shortener domain's reputation may return clean because did[.]li is not itself a blocklisted domain. The only path to a correct verdict is behavioral analysis of the full redirect chain, correlation of both links against each other and against the campaign context, and community intelligence that has already classified the shortener-ESP pairing as a threat vector.

What Authentication Actually Certifies

This case is a clean illustration of a persistent misconception. SPF, DKIM, and DMARC certify one thing: that the sending mail server was authorized to send on behalf of the stated domain. When a legitimate ESP like Pulseem sends a message, all three checks confirm that Pulseem's infrastructure is authorized. That is all they confirm.

They do not evaluate the links inside the message. They do not evaluate whether those links have been substituted with malicious redirects. They do not validate the identity of whoever uploaded the campaign to the ESP's platform. The authentication chain ends at the ESP's sending server. Everything beyond that is invisible to it.

CISA has documented this class of attack in its phishing guidance, noting that authentication headers provide no assurance about the intent of message content. NIST's definition of phishing similarly distinguishes between technical delivery authentication and the social engineering embedded in the payload. MITRE documents the broader phishing technique family at T1566.

For the maritime shipping and logistics company targeted here, four employee mailboxes received the campaign. All four were quarantined and mitigated within seconds of IRONSCALES classification.

What This Means for Defenders

Three conclusions for security teams evaluating their email stack against this attack class:

Follow the redirect, not the domain. A scanner that checks did[.]li against a blocklist and finds it clean has not checked the threat. The threat lives one hop downstream. Link-analysis tools that do not resolve shorteners to final destinations before issuing verdicts will miss this category of attack.

ESP reputation is not sender reputation. When Pulseem's authentication passes, that confirms Pulseem's authorization, not the legitimacy of whoever uploaded this campaign. Treating ESP pass as a trust signal for content is a category error that attackers deliberately exploit. Behavioral AI that evaluates advanced malware and URL threats at the link-destination level, not just the sending-infrastructure level, is required to close this gap.

Community intelligence catches what individual scan verdicts miss. When a single shortener URL has been seen across multiple organizations in the IRONSCALES network and classified as malicious by security professionals, that collective signal propagates faster than any single organization's scanner can generate a verdict. Federated classification is the architecture that makes shortener-in-ESP campaigns detectable at the speed they operate.

---

Indicators of Compromise

TypeIndicatorContext
Malicious URLhxxps://did[.]li/sWXIwLink shortener resolving to credential-harvesting login portal
Malicious URLhxxps://did[.]li/kRFx5Link shortener with malicious scanner verdict
Sending IP62.219.80[.]123Pulseem/youlinktv ESP sending host, geolocated Israel
Sending Hostmailbu[.]youlinktv[.]comPulseem ESP relay infrastructure
Campaign UTMzarchanut21122025bBatch identifier linking both malicious shortener URLs
Authentication ResultSPF/DKIM/DMARC all passConfirms ESP authorization; does not validate link payload
Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.