The Rocket Mortgage Notification That Passed DKIM but Led to a Domain With No Mortgage Business

A Rocket Mortgage notification landed with polished branding, a property address, a loan number, and a "View now" button with a 24-hour deadline. The email looked like a routine mortgage document alert. The sender was an Australian consulting firm that has nothing to do with mortgage lending.

The account at positive-solutions[.]com[.]au had been compromised. DKIM passed for the sender's Microsoft 365 tenant. The attacker inherited the full authentication profile of a legitimate business, sending impersonation emails that looked authorized because they technically were.

A Compromised Account With Split Authentication

The message originated from a compromised mailbox and relayed through a Votiro content disarm and reconstruction (CDR) gateway at IP 44.206.213[.]130. SPF failed at the Votiro relay because the CDR service's IP was not in the sender domain's SPF record. DKIM passed for positivesolutionsbne.onmicrosoft[.]com, confirming the Microsoft 365 tenant signed the message. DMARC produced inconsistent results across hops: fail at one relay, pass at another.

This split creates a problem for gateways that evaluate authentication as a binary pass/fail. The DKIM pass is genuine. The SPF failure is an infrastructure artifact from the CDR relay, not evidence of spoofing. A gateway that weights DKIM pass over SPF fail will deliver the message. In this case, that is exactly what happened.

The email body carried Rocket Mortgage branding with a fabricated property address and loan number. The 24-hour deadline on the "View now" CTA added urgency calibrated to prevent verification. Recipients who manage active mortgages see transactional notifications regularly and are conditioned to act quickly on them.

Four Hops to Nowhere

The "View now" link did not go to Rocket Mortgage. It did not go to the compromised sender's domain either. The redirect chain traversed four distinct intermediaries:

1. SafeLinks (Microsoft Defender URL rewriting)
2. click.e.rocketmortgage[.]com (Rocket Mortgage's own email tracking infrastructure)
3. link.edgepilot[.]com (EdgePilot URL defense)
4. linklock.titanhq[.]com (TitanHQ LinkLock URL protection)

The final destination was afd-eg[.]org, a domain registered September 1, 2025, with no connection to mortgage services, real estate, or financial products.

Each intermediary in the chain is a legitimate security or marketing service. A URL rewriting scanner evaluating the first hop would see SafeLinks. The second hop would show Rocket Mortgage's own tracking domain. By the third and fourth hops, scanner fatigue and redirect depth limits often mean the final destination is never evaluated.

An Australian Consulting Firm Does Not Send Mortgage Notifications

Themis identified the sender-brand mismatch: an Australian consulting firm sending Rocket Mortgage notifications is a behavioral anomaly that authentication cannot assess. The compromised account's sending history showed no prior mortgage-related communications, and the redirect chain's termination at a nine-month-old domain unrelated to any financial service confirmed the impersonation.

The 24-hour urgency deadline, the fabricated loan details, and the four-hop redirect chain are all individually common in phishing. Together, layered on top of a compromised legitimate account, they represent a campaign designed to exploit every trust signal a gateway evaluates.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping