When a polished vendor pitch lands in an executive inbox, the first instinct is to evaluate the offer, not question the sender. That is exactly what makes trust-building vendor scams so effective. This case involved a freshly registered domain, legitimate marketing infrastructure, and a message that contained zero malicious payloads. The entire attack was designed to do one thing: start a conversation.
The email arrived at a VIP mailbox inside an email security vendor. It addressed the recipient by first name, pitched website design services, and asked for a brief call. SPF passed for bounce.s13.mc.pd25[.]com (the marketing bounce domain), DKIM passed for maxifie[.]com, and DMARC passed. On paper, the authentication was clean. In practice, the sender domain had existed for less than a week.
Microsoft's spam confidence scoring caught it. SCL=5, multiple antispam signature matches, and the message was quarantined before it reached the recipient.
The infrastructure behind this message tells the story. The sender domain maxifie[.]com was registered through COSMOTOWN, INC. with Cloudflare nameservers and privacy-protected WHOIS contacts. The sending IP 128.245.249[.]20 resolved to amg20.mta.exacttarget[.]com, a mail transfer agent within Salesforce Marketing Cloud (ExactTarget). The return-path used bounce.s13.mc.pd25[.]com, a standard marketing bounce domain for the platform.
This is not a novel technique, but it remains effective. By configuring a new domain within a major marketing platform, the attacker inherited the deliverability reputation of that platform. The only embedded link was a Pardot unsubscribe confirmation URL (go.pardot[.]com), which scanned clean. No credential-harvesting pages, no file downloads, no tracking redirects beyond standard marketing pixels.
The DMARC policy for maxifie[.]com was set to p=none, meaning even if alignment had failed, no enforcement action would have been taken. For a domain that existed solely to send this campaign, a permissive DMARC policy is expected. The attacker had no legitimate mail flow to protect.
The message itself was brief and professional. High writing quality, no urgency language, no fear-based tactics. It mimicked the exact tone of a legitimate SaaS cold outreach email. The personalization (first name, implied knowledge of the company's website) suggested prior reconnaissance or data enrichment.
This is the setup phase of a multi-touch vendor scam. If the recipient had replied, the follow-up messages would likely have escalated to invoice requests, credential-harvesting links, or document-based payloads. The harmless first contact is the entire point.
The VIP targeting adds another dimension. Executives have authority to approve invoices, initiate wire transfers, and grant system access. A vendor relationship established through what appears to be legitimate business outreach creates a foundation of trust that makes subsequent malicious requests more likely to succeed.
See Your Risk: Calculate how many threats your SEG is missing
maxifie[.]com shortly before the campaign, a disposable domain for a single-use operation. MITRE ReferenceTraditional secure email gateways evaluate the message at the moment of delivery: authentication, payload scanning, URL reputation. When all three are clean, the message passes. This is exactly why vendor scams work. There is nothing malicious to detect in the initial message.
Themis, the IRONSCALES Adaptive AI, evaluates behavioral context that static filters miss. Domain age, first-time sender status, VIP recipient targeting, and communication pattern anomalies all factor into the risk assessment. In this case, the combination of a brand-new domain, marketing-platform delivery, and a VIP recipient was sufficient to flag the message.
The IRONSCALES community-driven threat intelligence network adds another layer. When similar vendor-scam patterns appear across multiple organizations, the collective signal accelerates detection for everyone. Research shows that 67.5 phishing emails per 100 mailboxes per month bypass traditional secure email gateways. Many of those are trust-building first contacts like this one.
p=none policy on a newly registered domain is a reliable risk indicator when combined with first-time sender status.| Indicator | Type | Context |
|---|---|---|
maxifie[.]com | Domain | Sender domain, registered recently, privacy-protected WHOIS |
128.245.249[.]20 | IP | Sending IP, resolves to amg20.mta.exacttarget[.]com |
bounce.s13.mc.pd25[.]com | Domain | Marketing bounce return-path domain |
go.pardot[.]com | Domain | Unsubscribe link domain (Salesforce Pardot) |
| Attack | What happened |
|---|---|
| Zero-Link 'Reply YES' Scam Uses Hotmail to Bypass Every Payload Scanner | A Hotmail sender asked the recipient to 'Reply YES' to receive a free website audit. |
| The Webinar Invite That Came With an Apple Wallet Pass and a Three-Hop Redirect Chain | A Google Calendar invite for a fake AI webinar passed full authentication and carried an .ics file, an Apple Wallet .pkpass. |
| The Bank Statement You Had to Unlock With Your Birthday: PII-Gated PDF Evasion From Authenticated Infrastructure | A fully authenticated email from banking infrastructure delivered a password-protected PDF that required the recipient's mobile number and date of birth... |
| The Spreadsheet That Arrived Twice: CR/LF Filename Obfuscation and a Base64 Shadow Payload | A clinical data report arrived as a .xlsx with CR/LF control characters in the filename and a companion .b64 base64 payload. |
| Someone Filed a False Positive on This Azure TOAD Scam. Here's Why That's the Whole Point. | An attacker built a real Azure subscription, created a resource group and metric alert rule. |