A Salesforce CRM subdomain hosted the phishing payload. The sending domain passed SPF, DKIM, and DMARC. Microsoft Exchange assigned it an SCL of 1. And the email body contained raw JavaScript blocks leaking the attacker's internal CRM configuration to anyone who viewed the HTML source.
This attack landed in the inbox of an employee at a national facilities services company, disguised as a subscription renewal notice from a major networking vendor. The subject line named the target company explicitly. The body discussed a completely different vendor's product line. And every technical authentication check said the message was legitimate.
The email originated from Salesforce's Email-as-a-Service (EaaS) infrastructure. The relay chain tells the story: the message left a local Salesforce cluster node (eaas-36), passed through a Salesforce MTA at IP 54[.]201[.]196[.]236, and was delivered directly into Microsoft 365 via Exchange Online Protection.
The sending domain belonged to a Fortune 100 technology company. DMARC authentication returned pass with action=none. SPF validated the Salesforce MTA IP against the sender domain's DNS records. DKIM passed with a selector name that explicitly tied the signature to the networking vendor's Salesforce org: mistsfdc.
That DKIM selector is the first crack in the story. It reveals that the sending domain's DNS has been configured to authenticate emails originating from a specific Salesforce CRM instance belonging to a subsidiary networking brand. The email was not sent from the parent company's standard communication channels. It was generated by a CRM template inside a subsidiary's Salesforce org, authenticated under the parent company's domain.
The subject line read: [Target Company Name] : 14 days contract expiration notification. The body opened with a generic team greeting and referenced "your Mist Service contract 00104248," warning that the contract "expires on April 10, 2026" and that the recipient would "loose all functions of the Mist subscriptions" after a 14-day grace period.
The mismatch is immediate. The subject references the target company. The body references a networking vendor's cloud management platform. The sender address belongs to a third, parent technology company. Three different brands in a single message.
The body included a subscription summary table with four line items (SUB-0503186 through SUB-0503189), product names matching networking appliance SKUs, and a reference to "Mist Sales Order 40076527." These details create the illusion of specificity. They suggest the attacker either fabricated plausible contract data or obtained real subscription information through a prior compromise.
The email closed with "Regards, Mist Renewal Team." No direct credential harvesting link appeared in the visible body text, but images were served from the CRM subdomain, and the urgency framing ("expires today") was designed to push the recipient toward engaging with the sender directly.
See Your Risk: Calculate how many threats your SEG is missing
The most damning evidence was invisible to the recipient but visible in the HTML source. Embedded inside the subscription table's first cell was a full JavaScript script block containing a UserContext.initialize() call from the Salesforce platform. This block leaked:
00D61000000Jnov)0054N000003v1cw)adewein@juniper[.]net[.]mist)junipermist[.]my[.]salesforce[.]comjunipermist--(?:[^.]+)[.]vf[.]force[.]comjunipermist[.]lightning[.]force[.]comLegitimate vendor renewal emails do not contain raw Salesforce script blocks. This leakage indicates the email was generated from a Visualforce email template inside the CRM instance, and the template was either misconfigured or intentionally left unstripped. Either way, the CRM artifacts expose the entire Salesforce org structure to any analyst who views the raw HTML.
The image tracking pixel at the bottom of the email also pointed to the CRM subdomain: hxxps://junipermist[.]my[.]salesforce[.]com/servlet/servlet.ImageServer?oid=00D61000000Jnov&esid=018VO00000j6frN&from=ext.
This attack maps to several techniques documented in the MITRE ATT&CK framework:
| Type | Indicator | Context |
|---|---|---|
| Domain | junipermist[.]my[.]salesforce[.]com | Salesforce CRM subdomain hosting email assets and tracking pixel |
| Domain | junipermist[.]lightning[.]force[.]com | Aura/Lightning domain leaked in CRM script block |
| Domain | junipermist--(?:[^.]+)[.]vf[.]force[.]com | Visualforce domain pattern leaked in UserContext config |
| IP | 54[.]201[.]196[.]236 | Salesforce MTA relay IP |
lan-anh[.]nguyen-dewein@hpe[.]com | Sender address (From and Return-Path) | |
| URL | hxxps://junipermist[.]my[.]salesforce[.]com/servlet/servlet.ImageServer?oid=00D61000000Jnov&esid=018VO00000j6frN&from=ext | Tracking pixel hosted on CRM subdomain |
| Salesforce Org ID | 00D61000000Jnov | Leaked CRM org identifier |
| Salesforce User ID | 0054N000003v1cw | Leaked sending user identifier |
| DKIM Selector | mistsfdc | DKIM selector tying parent domain to subsidiary CRM org |
This email passed every technical check that traditional email security relies on. SPF passed because Salesforce's MTA is an authorized sender for the domain. DKIM passed because the domain's DNS includes a selector specifically for this Salesforce org. DMARC passed because both SPF and DKIM aligned with the header From domain. Microsoft's Composite Authentication returned compauth=pass reason=100, the highest confidence score.
According to the Verizon 2024 Data Breach Investigations Report, phishing remains the initial access vector in over 36% of breaches. The FBI IC3 2024 Annual Report documented $2.9 billion in BEC losses, with vendor impersonation as a growing subcategory. The Microsoft Digital Defense Report 2024 specifically called out the abuse of legitimate cloud services as a top phishing trend, noting that "attackers increasingly use trusted cloud services to host malicious content."
CISA's phishing guidance recommends verifying renewal notices through known vendor portals rather than responding to email prompts. That advice is sound, but it assumes the recipient recognizes the email as suspicious in the first place.
IRONSCALES Adaptive AI flagged this message at 85% confidence as a credential theft attempt. The detection was not based on domain reputation or authentication results (both were clean). It was based on behavioral and linguistic signals: the cross-brand inconsistency between subject and body, the urgency framing around a same-day deadline, the grammatical errors ("loose" instead of "lose"), and the first-time sender context. These are the signals that survive when attackers co-opt legitimate infrastructure.
Verify subscription renewals through your vendor's official portal, not through links or contacts provided in the email itself. If a renewal notice references a contract expiring today, that urgency is designed to bypass your verification process.
Inspect the HTML source of suspicious vendor emails. CRM template artifacts (Salesforce UserContext blocks, Visualforce template IDs, org configuration data) indicate the email was generated inside a CRM instance rather than through a vendor's standard notification system.
Monitor for DKIM selectors that reference third-party platforms. A selector like mistsfdc on a parent company's domain reveals that subsidiary CRM systems are authorized to send authenticated email under that domain. This is a legitimate configuration, but it expands the trust surface significantly.
Deploy behavioral email analysis that evaluates content consistency, sender patterns, and urgency signals independently of authentication results. When every technical check says "legitimate" and the content says "act now before you lose access," that gap between authentication and intent is where modern phishing lives.