The display name said it was someone the recipient knew. The email address behind it belonged to a student account at a Mexican university. The link in the body was wrapped by SafeLinks, which made it look like Microsoft had already evaluated it. Decoding the wrapper revealed a domain on non-standard port 8443 that, according to WHOIS records, was registered months after the message arrived.
The message originated from a374859@alumnos.uaslp[.]mx, a student account at a Mexican public university. The display name spoofing was precise: the From header displayed the full name of a real external contact whose legitimate address is at a Canadian ISP. On mobile devices and in most desktop clients, the recipient would see only the familiar name with no indication that the underlying address belonged to a university student in another country.
Because the university runs Microsoft 365 infrastructure, SPF passed for the university's domain, DKIM was signed by Microsoft, and DMARC aligned. Composite authentication returned a pass. The email was not spoofed in any technical sense. It was sent from a real account on a real mail system with real credentials. The authentication was legitimate. The sender was not.
The body was minimal: "found and wanted to share these photographs." No invoice, no urgency, no branding. Just curiosity. A single link was embedded in the message, wrapped by Microsoft SafeLinks. Decoding the SafeLinks URL revealed the destination: jfedp.hvdxrsausc[.]com:8443.
The domain hvdxrsausc[.]com was registered on April 8, 2026, through a registrar with privacy-protected WHOIS. The non-standard port 8443 is commonly used by web application servers and is frequently overlooked by URL rewriting services and reputation filters that only evaluate standard ports. The domain name itself is a random character string with no semantic content, consistent with disposable phishing infrastructure.
A university confidentiality footer at the bottom of the message reinforced institutional trust, implying the email was an official communication subject to privacy protections.
Every authentication check passed. The SafeLinks wrapper gave the appearance of Microsoft validation. The display name matched a known contact. The only signals that distinguished this from a legitimate message were behavioral: a first-time sender using a .edu address that did not match the display name, a single link to a newly registered random-string domain on a non-standard port, and a curiosity lure with no business context. These are the patterns that Themis evaluates when static analysis sees nothing wrong. The message was flagged and quarantined automatically.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender Address | a374859@alumnos.uaslp[.]mx | compromised Mexican university student account |
| Display Name | Impersonated known external contact | Real contact uses Canadian ISP domain |
| Payload Domain | jfedp.hvdxrsausc[.]com:8443 | registered Apr 8, 2026, privacy WHOIS |
| Registrar | Privacy-protected | Random-string domain, disposable infrastructure |
| Auth Results | SPF: pass, DKIM: pass, DMARC: pass | Microsoft infrastructure, compauth pass |
| Lure Type | Curiosity ("share these photographs") | Single link, no attachments |
| Footer | University confidentiality disclaimer | Institutional trust artifact |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Single link to credential harvest page on port 8443 |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Display name impersonation of known external contact |
| Valid Accounts | T1078 | Compromised university student account with full authentication |
| Attack | What happened |
|---|---|
| How ARC Re-Signing and an IP Allow-List Turned Three Authentication Failures Into SCL -1 | A phishing email claiming to be a OneDrive share from an outlook.com address originated from a county government mail server. |
| The SOC Alert That Came From a Compromised FinTech: An Authenticated BlueVine Sender Delivering a Typosquat Link Buried in Operational Context | A fully authenticated email from bluevine.com impersonated an internal SOC quarantine notification. |
| The DocuSign That Lived on an S3 Bucket (and Couldn't Decide Who Sent It) | A DocuSign phishing email passed SPF, DKIM, and DMARC for a real K-12 school district domain. |
| The Subdomain That Fused Two Trusted Brands Into One Convincing Lie | Attackers fused two real brand names into a single subdomain, routed the message through Zix infrastructure to inherit enterprise authentication. |
| Three Google Domains, One Redirect Chain, and a Turkish Landing Page | A phishing email routed its CTA through three Google-owned domains before landing on an unrelated Turkish website. |