The Philips Respironics CPAP recall is one of the largest medical device settlements in recent history, with billions of dollars at stake and millions of affected patients. That makes it a perfect phishing pretext. An email landed in the inbox of a legal professional representing settlement claimants, formatted as an official notification from the settlement administrator, complete with a claimant ID, a named individual, and instructions to log into the Settlement Program Portal. Every email authentication check passed. The IRONSCALES community flagged it at 87% confidence anyway.
The message claimed to be from the Philips Respironics Personal Injury Settlement Program, sent by BrownGreer PLC (the actual court-appointed settlement administrator). It contained a structured table with a specific Claimant ID, a named claimant, and the notice type: "Extraordinary Injury Award Program Points Valuation Notice." The level of specificity was surgical. This was not a spray-and-pray campaign. It targeted a law firm handling settlement claims, using data that only someone with access to the settlement docket or a prior breach of claimant records would possess.
The email passed the full authentication stack. SPF validated for the sending IP (159[.]183[.]129[.]34), which resolved via PTR to o1[.]ptr7589[.]browngreer[.]com. DKIM signature verification passed with d=respironicspisettlement[.]com using selector s1. DMARC returned pass with action=none. Microsoft compauth scored 100, the highest possible trust signal.
The domain respironicspisettlement[.]com was registered on May 8, 2024 through Wild West Domains with full WHOIS privacy redaction. It runs on Azure DNS (ns1-35[.]azure-dns[.]com). The registrant data is completely opaque. A program-specific domain with privacy shielding is standard practice for legitimate settlement administrators, but it is also trivially reproducible by any attacker willing to spend $12 on a domain and 20 minutes on DNS configuration.
This is the core problem with authentication-dependent security models. SPF, DKIM, and DMARC answer one question: did the domain owner authorize this message? They do not answer the question that actually matters: is the domain owner trustworthy? The FBI IC3 2024 report documented $2.77 billion in business email compromise losses, with a growing share involving fully authenticated sending infrastructure.
The message body instructed the recipient to "log into the Settlement Program Portal to view Notices." The visible link text displayed www[.]respironicspisettlement[.]com. The actual href pointed to u44323761[.]ct[.]sendgrid[.]net/ls/click, a SendGrid click-tracking proxy URL carrying encoded redirect parameters.
This visual/technical mismatch is the most operationally dangerous element. The recipient sees a domain that matches the sender, the settlement program, and the email content. The actual click routes through SendGrid infrastructure before reaching any destination. An attacker controlling the SendGrid account can change the redirect target after delivery without modifying the email itself. The Microsoft Digital Defense Report 2024 documented this pattern as an increasing vector: legitimate email service providers (ESPs) being weaponized as redirect intermediaries.
Microsoft Safe Links did rewrite the URL during transport, adding a safelinks.protection.outlook.com wrapper. But the Safe Links scan returned clean because the destination at scan time resolved to the settlement portal. Post-delivery URL swapping bypasses point-in-time link scanning entirely.
See Your Risk: Calculate how many threats your SEG is missing
Civil litigation phishing follows a specific playbook documented in MITRE ATT&CK T1566.002 (Phishing: Spearphishing Link) and T1598.003 (Phishing for Information: Spearphishing Link):
Domain acquisition (T1583.001): Register a settlement-specific domain with privacy shielding. Configure SPF, DKIM, and DMARC. Use Azure DNS or a similarly reputable provider. Cost: under $20. Time: under an hour.
Infrastructure setup (T1585.002): Route through SendGrid or another transactional ESP. This provides click tracking, bounce handling (the Return-Path used VERP encoding: bounces+44323761-a6c1-[recipient]@em326[.]respironicspisettlement[.]com), and the PTR record of an established mailing vendor.
Content personalization: Populate claimant-specific data (IDs, names, notice types) sourced from public court filings, prior breaches, or purchased data broker records. The Verizon DBIR 2024 found that pretexting attacks involving fabricated scenarios increased 50% year over year.
Targeting precision: Hit law firms and legal professionals who represent claimants. These recipients expect settlement portal notifications, have a professional obligation to act on them promptly, and handle high-value financial transactions routinely.
The footer included a confidentiality notice asking misdirected recipients to "reply and then delete this message," directly contradicting the bold-text instruction that "This is a No-Reply email that cannot accept direct replies." These internal inconsistencies, while subtle, are behavioral signals that IRONSCALES Adaptive AI uses to supplement technical analysis when authentication results provide no signal.
The Themis AI engine flagged this message at 87% confidence based on community intelligence. Across the IRONSCALES network of 17,000+ customer organizations, similar messages had already been reported and resolved as phishing. The sender carried a high risk rating not because the technical indicators failed, but because the behavioral pattern, including recent-registration settlement domain, ESP click-tracking proxy, and portal login instruction, matched campaigns that the community had already identified.
The affected mailbox was automatically mitigated within two seconds of delivery. No manual SOC intervention required.
This case illustrates a broader strategic problem. According to CISA guidance on phishing recognition, users should verify sender identity and inspect links before clicking. But when every technical indicator reads as legitimate and the content references real legal proceedings with accurate claimant data, user verification fails. The IBM Cost of a Data Breach 2024 report found that phishing-originated breaches cost an average of $4.88 million, with detection taking 261 days when organizations relied on traditional controls alone.
Treat settlement and legal portal notifications as high-risk by default. Implement conditional access policies that flag first-time settlement domains regardless of authentication status.
Deploy community-informed detection. Authentication-only models cannot distinguish between a legitimate settlement administrator and an attacker who copied their DNS configuration. Crowdsourced threat intelligence provides the missing context.
Inspect link destinations, not display text. Any email where the visible URL and the actual href diverge should be treated as suspicious, regardless of the sender's authentication posture.
Verify portal access independently. Navigate directly to known settlement portals via bookmarked URLs rather than clicking embedded links, especially when the email references active legal proceedings with financial implications.
| Type | Indicator | Context |
|---|---|---|
| Sending Domain | respironicspisettlement[.]com | Registered 2024-05-08, Wild West Domains, WHOIS redacted, Azure DNS |
| Sending IP | 159[.]183[.]129[.]34 | PTR: o1[.]ptr7589[.]browngreer[.]com |
| Return-Path Domain | em326[.]respironicspisettlement[.]com | VERP bounce-handling subdomain |
| ESP Tracking Domain | u44323761[.]ct[.]sendgrid[.]net | Click-tracking proxy, visual/technical URL mismatch |
| DKIM Selector | s1 | d=respironicspisettlement[.]com, rsa-sha256 |
| Authentication | SPF pass, DKIM pass, DMARC pass | compauth=100 |
| SCL | 1 | Low spam confidence despite SFTY:9.25 phishing safety tip |
| Email Header | X-SG-EID present | SendGrid bulk/transactional mailing fingerprint |
| Content Pattern | Claimant ID + named individual + portal login CTA | Spearphishing personalization |