A Rocket Mortgage notification landed with polished branding, a property address, a loan number, and a "View now" button with a 24-hour deadline. The email looked like a routine mortgage document alert. The sender was an Australian consulting firm that has nothing to do with mortgage lending.
The account at positive-solutions[.]com[.]au had been compromised. DKIM passed for the sender's Microsoft 365 tenant. The attacker inherited the full authentication profile of a legitimate business, sending impersonation emails that looked authorized because they technically were.
The message originated from a compromised mailbox and relayed through a Votiro content disarm and reconstruction (CDR) gateway at IP 44.206.213[.]130. SPF failed at the Votiro relay because the CDR service's IP was not in the sender domain's SPF record. DKIM passed for positivesolutionsbne.onmicrosoft[.]com, confirming the Microsoft 365 tenant signed the message. DMARC produced inconsistent results across hops: fail at one relay, pass at another.
This split creates a problem for gateways that evaluate authentication as a binary pass/fail. The DKIM pass is genuine. The SPF failure is an infrastructure artifact from the CDR relay, not evidence of spoofing. A gateway that weights DKIM pass over SPF fail will deliver the message. In this case, that is exactly what happened.
The email body carried Rocket Mortgage branding with a fabricated property address and loan number. The 24-hour deadline on the "View now" CTA added urgency calibrated to prevent verification. Recipients who manage active mortgages see transactional notifications regularly and are conditioned to act quickly on them.
The "View now" link did not go to Rocket Mortgage. It did not go to the compromised sender's domain either. The redirect chain traversed four distinct intermediaries:
The final destination was afd-eg[.]org, a domain registered September 1, 2025, with no connection to mortgage services, real estate, or financial products.
Each intermediary in the chain is a legitimate security or marketing service. A URL rewriting scanner evaluating the first hop would see SafeLinks. The second hop would show Rocket Mortgage's own tracking domain. By the third and fourth hops, scanner fatigue and redirect depth limits often mean the final destination is never evaluated.
Themis identified the sender-brand mismatch: an Australian consulting firm sending Rocket Mortgage notifications is a behavioral anomaly that authentication cannot assess. The compromised account's sending history showed no prior mortgage-related communications, and the redirect chain's termination at a nine-month-old domain unrelated to any financial service confirmed the impersonation.
The 24-hour urgency deadline, the fabricated loan details, and the four-hop redirect chain are all individually common in phishing. Together, layered on top of a compromised legitimate account, they represent a campaign designed to exploit every trust signal a gateway evaluates.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender Email | Compromised account at positive-solutions[.]com[.]au | Australian consulting firm, no mortgage affiliation |
| DKIM Domain | positivesolutionsbne.onmicrosoft[.]com | Microsoft 365 tenant, DKIM pass |
| Relay IP | 44.206.213[.]130 | Votiro CDR relay, SPF fail |
| Redirect Hop 1 | SafeLinks (Microsoft Defender) | URL rewriting service |
| Redirect Hop 2 | click.e.rocketmortgage[.]com | Rocket Mortgage tracking infrastructure |
| Redirect Hop 3 | link.edgepilot[.]com | EdgePilot URL defense |
| Redirect Hop 4 | linklock.titanhq[.]com | TitanHQ LinkLock |
| Landing Domain | afd-eg[.]org | Registered Sep 1, 2025, no mortgage connection |
| Urgency | 24-hour deadline | "View now" CTA pressure mechanism |
| Fabricated Details | Property address and loan number | Anonymized, used for trust-building |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | "View now" CTA through four-hop redirect chain |
| Compromise Accounts: Email Accounts | T1586.002 | Compromised Australian consulting firm M365 account |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Rocket Mortgage branding on unrelated sender |
| Attack | What happened |
|---|---|
| How ARC Re-Signing and an IP Allow-List Turned Three Authentication Failures Into SCL -1 | A phishing email claiming to be a OneDrive share from an outlook.com address originated from a county government mail server. |
| The Phishing Link Lived on a Domain That Didn't Exist Nine Hours Earlier | A compromised university student account sent a phishing email that passed SPF, DKIM, and DMARC. |
| SafeLinks Wrapped the Phishing URL With the Recipient's Name on It | Microsoft SafeLinks rewrote a phishing URL and embedded the recipient's email address into the redirect chain. |
| The DocuSign Portal That Was Two Days Old and Spelled Wrong: Typosquat Credential Harvesting via SendGrid Redirect | A fax notification impersonating DocuSign routed through SendGrid and AppRiver relays, failed SPF and DKIM. |
| Seven Days Old, Port 8443: The Throwaway Domain That Safe Links Couldn't Stop | A compromised university email account impersonated a known contact. |