When an email clears SPF, DKIM, and DMARC, all three, with composite authentication scored at pass, most email security gateways exhale. The message came from where it claimed to come from. The domain checks out. Let it through.
That is precisely the gap this campaign exploited.
A senior talent acquisition consultant at an HR consulting firm received what appeared to be a routine candidate-digest notification: seven new resumes waiting for review, a tidy table of names and job titles and salary expectations, a bright blue "VIEW ALL YOUR CANDIDATES" button. The branding was polished. The format matched what a legitimate hiring-workflow platform would send. The footer carried a support address and a Las Vegas business address. Nothing looked wrong.
Everything authenticated cleanly. And the primary call-to-action linked to a credential-harvesting page.
The sending domain, resumedirect.app, authenticated through a legitimate commercial bulk-mail provider. The delivery IP appeared in the domain's SPF record. The DKIM signature validated against d=resumedirect.app. DMARC passed. Microsoft's composite authentication score came back 100.
This is the mechanics of ESP-borrowed legitimacy. The attacker registered their own domain and stood it up as a customer of a real email service provider. When the message traversed sp0029.mtaspm.email on its way to the recipient's inbox, it carried that provider's infrastructure reputation alongside a valid cryptographic signature. The authentication protocols did exactly what they were designed to do: they confirmed the message came from authorized infrastructure for that domain. They said nothing about what the links inside would do when clicked.
SPF, DKIM, and DMARC are origin-verification mechanisms, not content-safety signals. The distinction matters in every phishing analysis; it especially matters when attackers are sophisticated enough to pass all three.
The email listed seven candidates (names, roles, desired salaries, download icons) and presented two primary interaction paths: download individual resumes or click through to view the full candidate pool.
Both paths led to malicious endpoints.
The "VIEW ALL YOUR CANDIDATES" button linked to resume.direct/register?email=[recipient]@[org-domain], a registration page pre-populated with the recipient's email address. Link scanners flagged this endpoint as malicious. This is a textbook credential harvesting pattern: lure a user into authenticating on an attacker-controlled page by making the pre-filled email field look like they already have an account.
The individual resume download links served from resume.direct/download/cio/ told the same story. Multiple endpoints returned malicious verdicts from independent scanners. A "DOWNLOAD ALL" zip endpoint returned a mixed/partial result. The campaign combined a credential-harvest registration funnel with a malware-delivery file distribution layer, targeting the same recruiter with both attack vectors in a single message.
See Your Risk: Calculate how many threats your SEG is missing
Before any link reached its final destination, it passed through a click-tracking intermediary: sp-track.resumedirect.app/api/v1/track/click/.... This is standard in bulk email marketing, but in an attacker's hands the redirect layer introduces a meaningful scanning gap. A reputation lookup against the tracker's URL returns results for the tracker's domain, not for the eventual destination.
The attacker-controlled click-tracking infrastructure is what a gateway sees first. By the time a scanner follows the redirect chain to the actual malicious endpoint, time and context windows have narrowed. This technique is increasingly common in campaigns that use legitimate bulk-mail providers: borrow the ESP's reputation, hide the payload one redirect hop away.
The Verizon 2026 Data Breach Investigations Report identifies phishing as the leading initial access vector across breaches, with a significant share exploiting exactly this pattern: delivery through authenticated infrastructure with malicious payloads that reputation-based filters never see coming. The FBI IC3 2024 Annual Report recorded over $2.9 billion in losses directly attributable to phishing and related social-engineering campaigns, losses driven in part by defenses that treat authentication as a proxy for safety.
Authentication-passing campaigns are now table stakes. Threat actors have understood for years that SPF, DKIM, and DMARC are necessary conditions to avoid spam filters, not sufficient conditions to indicate legitimacy. The question for defenders is what detection layer fires after authentication passes; this campaign is a clear illustration of why that layer must include live link detonation and behavioral analysis, not just blocklist lookups.
According to MITRE ATT&CK T1566.002, spearphishing via link is the most scalable delivery mechanism for credential theft because it offloads the malicious work to an endpoint reached after delivery, an endpoint that didn't exist as a threat at send time and may not yet appear in any signature feed.
No single signal was decisive. That is the point.
Themis, IRONSCALES' Adaptive AI, flagged the incident with 90% confidence. Community signals from across the IRONSCALES network had independently flagged similar activity from the same sending infrastructure, a pattern consistent with a coordinated campaign targeting multiple organizations simultaneously. Microsoft's filtering layer assigned a spam confidence level of 5 and quarantined the message on delivery.
The malicious link verdicts came from live detonation: scanners visited the resume.direct/register endpoint and the individual download URLs, rendered what was actually served, and returned malicious and mixed-result verdicts for the active payloads. The S3-hosted file copies that appeared in the email's headers scanned clean at the time of analysis. That is exactly how this class of attack is designed. The clean-file decoys are real enough to reduce suspicion if a static scanner samples only some links; the malicious endpoints are the ones a recruiter would most likely click.
IRONSCALES' Advanced Malware and URL Protection catches this gap by detonating every link, not sampling. Multi-signal detection combining detonation with community reputation and Adaptive AI behavioral analysis is what catches campaigns that have specifically engineered their authentication posture to pass gateway checks.
HR and recruiting teams are structurally high-risk targets for this technique. Receiving unsolicited document links and clicking through to external hiring platforms is not anomalous behavior for a recruiter; it is the job. Attackers building resume-notification skins around malicious payloads are exploiting a workflow expectation, not a technical misconfiguration.
Indicators to look for in your environment:
mtaspm.email, sendpost.io, or equivalent) for a domain you do not recognize as an established vendorsp-track.[domain]) wrapping CTA links before detonation is complete/register?email=)/download/cio/ paths served from the same origin as the registration page warrant immediate scrutinyCISA's guidance on recognizing phishing emphasizes that authentication signals cannot substitute for behavioral and link-level analysis, particularly when attackers deliberately engineer a clean-auth delivery path.
Credential harvesting protection that covers post-click behavior, not just link reputation, is the defensive control that closes this gap.
---
| Indicator | Type | Verdict |
|---|---|---|
resumedirect[.]app | Sender domain | Malicious campaign infrastructure |
resume[.]direct | Attacker-controlled domain | Malicious; hosts credential harvest and download endpoints |
sp-track.resumedirect[.]app | Click-tracking subdomain | Attacker-controlled redirect layer |
52.203.172.9 | Sending IP | SendPost ESP relay (attacker account) |
sp0029.mtaspm[.]email | Sending relay hostname | SendPost ESP relay (attacker account) |
hxxps://resume[.]direct/register?email=[recipient]@[org-domain] | URL | Malicious; credential harvest registration page |
hxxps://resume[.]direct/download/cio/[name]_resume_[id].pdf | URL pattern | Malicious; attacker-controlled file download endpoint |
hxxps://resume[.]direct/download/cio/[name]_resume_[id].docx | URL pattern | Malicious; attacker-controlled file download endpoint |
hxxps://resume[.]direct/download/zip/[token] | URL | Mixed/Partial; bulk download zip endpoint |
---
| Technique ID | Name | Observed Behavior |
|---|---|---|
| T1566 | Phishing | Malicious email delivered via bulk ESP with full auth pass |
| T1566.002 | Phishing: Spearphishing Link | Malicious links embedded in polished notification email |
| T1598 | Phishing for Information | Credential harvest via pre-populated registration endpoint |
| T1071.003 | Application Layer Protocol: Mail Protocols | Attacker leveraged legitimate SMTP relay infrastructure |
| Attack | What happened |
|---|---|
| When the Safety Wrapper Becomes the Disguise: Brazilian NF-e Phishing via Safe Links Rewrite | A Portuguese-language invoice lure authenticated through a compromised Brazilian domain used is.gd to hide its payload. |
| The Email That Shipped With Its Template Tokens Still In It (And Still Worked) | An attacker's mail merge failed. |
| The Password Expiry Email That Hid Its Destination in a Base64 Fragment | A password-expiry lure used a Base64-encoded URL fragment to hide its Shopify-hosted credential harvesting page from link scanners. |
| The Button Text Was the Weapon: Unicode RTL Obfuscation Inside a DocuSign Lure | Attackers embedded Unicode right-to-left marks directly inside a CTA button label to scatter the string for NLP scanners. |
| The Timestamp That Gave It Away: Oracle Identity Cloud Phishing Targets K-12 with a Stale Timezone | A phishing email impersonating Oracle Identity Cloud targeted a Florida school district employee. |