She Clicked the Bid Invitation and Handed Her Credentials to a Netlify Phishing Page

The email landed in four inboxes at a European enterprise on a Wednesday afternoon.

Subject line: "INVITATION TO BID."

Sender: a named operations director at a legitimate Canadian construction engineering firm.

SPF, DKIM, and DMARC all passed.

The signature block included a physical address in Lachine, Quebec, a direct cell number, and a company logo. Everything about this message looked like a routine procurement outreach, the kind that lands in operations and business development inboxes every week.

Except the link labeled "RFI-32-7613-125.pdf (Preview)" didn't point to a PDF. It pointed to cheerful-hamster-e3f5c1[.]netlify[.]app, a credential-harvesting page designed to steal login credentials under the guise of a construction bidding portal.

A Bid Package That Led to a Fake Login Page

The message followed a familiar procurement playbook. It invited the recipient's organization to submit a proposal for a specific RFI, referenced a project package with scope, deliverables, and terms, and set a deadline: proposals due by March 30, 2026, with a reply requested within two business days. A confidentiality warning reinforced the sense of legitimacy.

The social engineering was layered. The sender identity belonged to a real person at a real company, a director of operations at an established construction engineering firm with a domain registered since 2009, hosted on Cloudflare, and actively maintained. The email originated from that company's Microsoft 365 tenant, which is why every authentication check cleared without issue.

But the core call-to-action betrayed the entire setup. The hyperlink displayed as "RFI-32-7613-125.pdf" but resolved to a Netlify-hosted subdomain. That landing page didn't serve a PDF. Instead, it rendered a ConstructConnect-branded sign-in form ("Sign-in to view bid invitation") with an email field and a login prompt. ConstructConnect is a widely used construction project intelligence platform, making the impersonation feel routine to anyone in the industry.

This is credential harvesting at its most operationally aware. The attacker understood the target industry, knew the procurement workflow, and chose a third-party platform the victim would recognize and trust.

The Compromised Sender Problem That Authentication Can't Solve

The most dangerous element of this campaign isn't the Netlify page; it's the sending account.

The email headers show a clean relay chain through Microsoft's Exchange Online Protection infrastructure. ARC (Authenticated Received Chain) seals passed at every hop. The DKIM signature validated against the sender's onmicrosoft[.]com domain. SPF confirmed the sending IP as an authorized Microsoft outbound server. There was no header manipulation, no relay abuse, and no spoofing.

The most likely explanation: the sender's Microsoft 365 account was compromised. As MITRE ATT&CK documents under Compromise Accounts: Email Accounts (T1586.002), threat actors routinely take over legitimate business email accounts to send phishing from trusted infrastructure, turning authentication from a defense into a liability.

This is the structural weakness that SEGs can't address. Email authentication protocols answer one question: did this email come from an authorized server for this domain? When the answer is yes because the attacker controls a legitimate account on that domain, authentication actively vouches for the threat.

The FBI's 2024 Internet Crime Report documented over $2.9 billion in BEC (Business Email Compromise) losses. IBM's 2024 Cost of a Data Breach Report found phishing-initiated breaches averaged $4.88 million per incident. These aren't hypothetical numbers; they're the direct cost of trusting authentication as a proxy for safety.

How a href Mismatch and Behavioral Signals Stopped the Campaign

Static rule-based detection had no path to catching this email. The sender domain was legitimate and long-established. The authentication was flawless. The attachment, a small PNG logo image, was clean. The only malicious artifact was a single URL pointing to a free-tier hosting platform with no prior reputation flags.

Themis, the IRONSCALES virtual SOC analyst, identified the threat through converging behavioral signals:

• Href-display mismatch: The displayed link text ("RFI-32-7613-125.pdf") suggested a document download, but the underlying href pointed to a Netlify subdomain with no relationship to the sender's organization. This mismatch, a classic indicator mapped to MITRE ATT&CK User Execution: Malicious Link (T1204.001), triggered immediate scrutiny.
• Landing page behavior: The destination served a credential-collection form impersonating a third-party platform rather than delivering the promised document. As MITRE ATT&CK documents under Link Target (T1608.005), attackers stage phishing pages on legitimate hosting services to inherit the platform's reputation.
• Sender anomaly profile: While the sender had prior contact with the organization, the BCC-style distribution pattern and generic greeting ("Hello,") deviated from established communication norms, signals that an account may have been taken over for mass distribution.
• Community threat intelligence: Similar Netlify-hosted ConstructConnect impersonation patterns had already been flagged across the IRONSCALES network of over 30,000 security professionals.

All four affected mailboxes were quarantined within seconds, before any recipient clicked the link.

The Verizon 2025 Data Breach Investigations Report found that the median time for a user to click a phishing link is under 60 seconds from delivery. CISA's phishing guidance and Microsoft's 2024 Digital Defense Report both emphasize that credential-harvesting attacks leveraging compromised accounts and legitimate hosting infrastructure are among the hardest vectors for traditional defenses to intercept.

For security teams facing similar campaigns, three actions matter now:

1. Treat href-display mismatches as high-confidence indicators. Any email where the visible link text suggests a document but the destination is a free-tier hosting platform warrants automated investigation, not just a reputation lookup.
2. Evaluate landing page behavior, not just URL reputation. A Netlify subdomain with zero prior flags is invisible to blocklists. Detection must assess what the page does (presents a credential form), not just where it lives.
3. Monitor for compromised sender patterns. BCC distribution from a known contact, generic greetings replacing personalized salutations, and link destinations disconnected from the sender's organization are signals that an account has been weaponized.