SPF passed. DKIM passed. DMARC passed. The message arrived looking exactly like a routine Hebrew-language marketing blast from a union member-benefits program. Nestled inside were two did[.]li link-shortener URLs. Both resolved to attacker-influenced destinations. Neither was visible to the reputation filters that had just cleared the message.
That gap -- authentication covers the carrier, not the cargo -- is what this campaign exploited.
See Your Risk: Calculate how many threats your Secure Email Gateway (SEG) is missing right now
The message was delivered through Pulseem, a commercial email service provider operating via youlinktv[.]com infrastructure. The sending host was mailbu[.]youlinktv[.]com at IP 62.219.80[.]123, routed through Microsoft Office 365 frontends before reaching inboxes at a large maritime shipping and logistics company. The authentication record was clean on every dimension:
62.219.80[.]123 was an authorized sender for the bounce domainyoulinktv[.]com and one under the brand's own domainheader.from aligned with a domain that had a valid DMARC recordFor any email security gateway relying on these three signals to triage inbound mail, this message was clean. Compauth passed. Spam confidence score registered as benign. The message content -- the part containing the actual threat -- never entered that evaluation.
According to the Verizon 2026 Data Breach Investigations Report, phishing remains the initial access vector in the majority of credential-theft incidents, with 39% of breaches tracing back to stolen credentials (Verizon DBIR 2026). Campaigns that clear authentication by design -- rather than by accident -- represent the leading edge of that threat.
The email body was a well-formatted HTML marketing message in Hebrew, consistent with a genuine promotional campaign from a union member-benefits club. Subject lines, branding, and layout matched what a real marketing blast from this type of sender would look like. The campaign even carried proper List-Unsubscribe headers and tracking metadata, including a UTM string (zarchanut21122025b) that tied the sends to a named batch.
This is deliberate. When a phishing message mixes 30 clean links with two malicious ones, automated scanners face a signal-to-noise problem. The legitimate links in this campaign included product pages on recognized retail and membership platforms, social media profiles, YouTube content, and WhatsApp channels. All scanned clean. The Pulseem redirect links (pulseem[.]com/Pulseem/Home/LinkRedirect.axd) were also clean. The attack surface was exactly two URLs.
Those two URLs were did[.]li/sWXIw and did[.]li/kRFx5.
did[.]li is a commercial link-shortening service. Used legitimately, it allows marketers to create shortened or branded redirect URLs. Used in this campaign, it severed the visible link from the actual destination, defeating any scanner that checked only the top-level domain without following the redirect chain.
The full URLs carried UTM parameters that confirmed they were part of the same named campaign batch:
`` hxxps://did[.]li/sWXIw?utm_campaign=zarchanut21122025b&utm_medium=Email&utm_source=[...] hxxps://did[.]li/kRFx5?utm_campaign=zarchanut21122025b&utm_medium=Email&utm_source=[...] ``
Following did[.]li/sWXIw resolved to a union member-benefits portal login page prompting visitors to enter a national identification number to authenticate. A national ID number is a high-value credential that enables account takeover, identity fraud, and further downstream access. The page presented a visually credible registration interface with form fields, a prominent call-to-action, and member-benefit copy. Credential harvesting via imitation of a trusted portal is one of the most effective social-engineering techniques precisely because the visual context matches what victims expect. This maps to MITRE ATT&CK T1566.002: Phishing via Spearphishing Link.
The second shortener, did[.]li/kRFx5, resolved to a YouTube channel page. Both URLs received explicit malicious verdicts from IRONSCALES link scanners with screenshots captured. Whether the second link was intended as a tracking pivot, engagement decoy, or secondary redirect that had not yet been armed at scan time, the scanner verdict was unambiguous: malicious.
This is the core detection gap the campaign was designed to exploit. A gateway that resolves did[.]li and finds a YouTube page at scan time may return a clean verdict. A gateway that evaluates only the shortener domain's reputation may return clean because did[.]li is not itself a blocklisted domain. The only path to a correct verdict is behavioral analysis of the full redirect chain, correlation of both links against each other and against the campaign context, and community intelligence that has already classified the shortener-ESP pairing as a threat vector.
This case is a clean illustration of a persistent misconception. SPF, DKIM, and DMARC certify one thing: that the sending mail server was authorized to send on behalf of the stated domain. When a legitimate ESP like Pulseem sends a message, all three checks confirm that Pulseem's infrastructure is authorized. That is all they confirm.
They do not evaluate the links inside the message. They do not evaluate whether those links have been substituted with malicious redirects. They do not validate the identity of whoever uploaded the campaign to the ESP's platform. The authentication chain ends at the ESP's sending server. Everything beyond that is invisible to it.
CISA has documented this class of attack in its phishing guidance, noting that authentication headers provide no assurance about the intent of message content. NIST's definition of phishing similarly distinguishes between technical delivery authentication and the social engineering embedded in the payload. MITRE documents the broader phishing technique family at T1566.
For the maritime shipping and logistics company targeted here, four employee mailboxes received the campaign. All four were quarantined and mitigated within seconds of IRONSCALES classification.
Three conclusions for security teams evaluating their email stack against this attack class:
Follow the redirect, not the domain. A scanner that checks did[.]li against a blocklist and finds it clean has not checked the threat. The threat lives one hop downstream. Link-analysis tools that do not resolve shorteners to final destinations before issuing verdicts will miss this category of attack.
ESP reputation is not sender reputation. When Pulseem's authentication passes, that confirms Pulseem's authorization, not the legitimacy of whoever uploaded this campaign. Treating ESP pass as a trust signal for content is a category error that attackers deliberately exploit. Behavioral AI that evaluates advanced malware and URL threats at the link-destination level, not just the sending-infrastructure level, is required to close this gap.
Community intelligence catches what individual scan verdicts miss. When a single shortener URL has been seen across multiple organizations in the IRONSCALES network and classified as malicious by security professionals, that collective signal propagates faster than any single organization's scanner can generate a verdict. Federated classification is the architecture that makes shortener-in-ESP campaigns detectable at the speed they operate.
---
| Type | Indicator | Context |
|---|---|---|
| Malicious URL | hxxps://did[.]li/sWXIw | Link shortener resolving to credential-harvesting login portal |
| Malicious URL | hxxps://did[.]li/kRFx5 | Link shortener with malicious scanner verdict |
| Sending IP | 62.219.80[.]123 | Pulseem/youlinktv ESP sending host, geolocated Israel |
| Sending Host | mailbu[.]youlinktv[.]com | Pulseem ESP relay infrastructure |
| Campaign UTM | zarchanut21122025b | Batch identifier linking both malicious shortener URLs |
| Authentication Result | SPF/DKIM/DMARC all pass | Confirms ESP authorization; does not validate link payload |