A sales training director at a facilities services company received a procurement inquiry from what looked like an established manufacturer. The display name named the brand and a contact at it. The body linked to the manufacturer's real, legitimate website. Two clicks on those links would take the recipient to a live, verified business.
SPF passed. DKIM passed. DMARC passed. Community reputation flagged it.
The tell was a single added character in the Reply-To field, on a domain registered five days before the email arrived.
To understand this attack, count the domains involved.
The message's From header carried an address on an unrelated third-party domain, sent through Amazon SES. That domain authenticated cleanly: SPF passed for the Amazon SES sending IP, DKIM validated signatures for both the From domain and Amazon SES, and DMARC returned a pass for the header From. From a technical inspection standpoint, the message was what it claimed to be.
The body contained links to the manufacturer's real website, a company established in 1996 with a 29-year-old domain. Both links scanned clean. Link scanning saw a long-lived, legitimate domain with no malicious history.
Then there was the Reply-To: an address on a domain with one extra letter added to the manufacturer's name, registered December 3, 2025, five days before the email arrived. No DMARC record. No DKIM. No DNSSEC. Brand new, minimal infrastructure, maximum resemblance.
That third domain is the entire attack. Everything else was cover.
When a recipient reads the email, they see the display name (the manufacturer's brand plus a contact name) and whatever the mail client renders as the sender line. Few recipients read the raw headers. Fewer still compare the From domain to the Reply-To domain on a routine procurement inquiry.
When they click Reply, the mail client silently addresses the response to the Reply-To field. The recipient believes they are corresponding with the manufacturer. Every message they send goes to the attacker. Purchase orders, project specifications, pricing discussions, delivery addresses: all of it routes to attacker-controlled infrastructure while the conversation feels like a normal vendor exchange.
This is the mechanics of vendor email compromise. The attacker does not need to break into any system. They need the target to reply. That is why the body links were kept clean and pointed to the real manufacturer's site: friction-free delivery maximizes the chance of a reply.
The lookalike domain added a single letter to the manufacturer's name. That kind of one-character insertion is typosquatting, a technique where a domain is registered to look like a trusted name at a glance while being different enough to be attacker-controlled.
The lookalike domain was registered December 3, 2025, five days before the email. Registration through a standard registrar with WHOIS privacy, no DMARC, no DKIM, no DNSSEC. The domain published no records that would allow email receivers to validate messages sent from it or to bounce unauthorized use back to a reporting address.
A 29-year age gap between the real domain (1996) and the lookalike (2025) is a significant signal for any detection system that compares domain registration dates. The attacker counted on that comparison not being made at delivery time.
The persona in the display name was constructed to look like someone who might work at the manufacturer: the brand name followed by a contact name in the display field, with the sender address constructed to match a plausible employee mailbox on the lookalike domain. The impersonation layer did not require compromising any real account. The attacker fabricated the identity from scratch.
Two ATT&CK techniques describe this attack precisely. Acquire Infrastructure: Domains covers the deliberate registration of the lookalike domain in advance. Impersonation covers the use of the manufacturer's brand name and a fabricated contact persona to exploit an existing trust relationship.
The message also carried a set of automated template tokens in its HTML: timestamp identifiers, a session ID, a reference number. These appear in the source rather than the rendered body and indicate the message was built using an automated mailing tool, not composed by hand. The preheader text referenced an account status notification while the subject line described a collaboration inquiry, an inconsistency that also appears in templated mass mailings and is invisible to most recipients. High-priority flags (X-Priority: 1, Importance: High) were set explicitly in the headers to push the message toward the top of the inbox.
Authentication confirmed the message was legitimately sent. Link scanning confirmed the body links were clean. What flagged the attack was community reputation analysis: the IRONSCALES community had seen similar message patterns before, and federation-model scoring weighted those prior signals against this email's characteristics.
The recipient had no prior history with this sender. The From domain was a first-time sender to the organization. The combination of a fresh-registered Reply-To domain, automated template artifacts, and a known impersonation pattern was enough for the system to quarantine the message automatically.
That is the gap a secure email gateway operating on content and link reputation alone would not close. The body links were clean. The authentication was clean. The risk was in a header field that most inspection systems check for technical validity, not for semantic similarity to a known vendor domain.
| Type | Indicator | Context |
|---|---|---|
| Domain | daresproducts[.]com | Lookalike Reply-To domain, one character added; registered Dec 3, 2025, five days before send |
| Behavior | Reply-To diverges from From domain | Responses route silently to attacker-controlled domain |
| Behavior | Domain age gap | Lookalike registered 2025 vs. real manufacturer domain registered 1996 |
| Auth | SPF pass, DKIM pass, DMARC pass | Genuine authentication for From domain via Amazon SES; Reply-To domain has no auth records |
| Behavior | First-time sender | No prior relationship between this organization and the From domain |
| Behavior | Automated template artifacts | Timestamp/session tokens in HTML, preheader and subject mismatch, high-priority flags |
Reply-To diversion is hard to catch by reading the message. The body looks right, the links go to real places, and the authentication is clean. The attack lives in a header field that most mail clients hide by default.
Detection requires comparing the Reply-To domain against the display name and the From domain at delivery time, then checking whether the Reply-To domain was recently registered. A manufacturer with a 29-year-old domain does not route replies through a five-day-old lookalike. That mismatch is detectable if the system looks for it.
The FBI IC3 2024 report continues to rank business email compromise and vendor fraud among the highest-loss categories by reported dollar amount, and reply-to diversion is one of the lighter-infrastructure variants: no compromised accounts needed, no malware, no suspicious links, just a domain registration and a clean-looking email.
See Your Risk: Calculate how many threats your SEG is missing
The real manufacturer's website is 29 years old and perfectly legitimate. The attacker used that legitimacy as camouflage for a domain registered days earlier. Every scanner saw the right links. Every authentication check said yes. The reply address was the whole game.
| Attack | What happened |
|---|---|
| One Hyphen From Trusted: A Lookalike-Domain Vendor Impersonation That Beat the Eye and the Authentication Stack | A supplier contact the recipient already knew. |
| The GitLab Alert That Passed Every Filter (Except One Detail Nobody Checked) | A GitLab sign-in alert cleared Proofpoint URL Defense and passed SPF/DMARC — then listed a private RFC1918 IP as the sign-in source. |
| The Timestamp That Gave It Away: Oracle Identity Cloud Phishing Targets K-12 with a Stale Timezone | A phishing email impersonating Oracle Identity Cloud targeted a Florida school district employee. |
| The Phishing Simulation Platform That Powered a Real Attack | A salary adjustment lure routed through SendGrid and a Carrd landing page used phishing kit images hosted on a commercial phishing simulation vendor's own... |
| Microsoft Bookings as a Weapon: When DMARC Says Trust Me and ARC Quietly Disagrees | A phishing email sent from bookings.microsoft.com passed every authentication check. |