TL;DR A threat actor compromised a legitimate Microsoft 365 account belonging to a Moroccan vocational training organization and used it to send a phishing email that impersonated a known contact via exact display-name matching. The message contained a single sentence designed to provoke curiosity about shared images, with one URL pointing to a same-day-registered domain (eriegatw[.]com via Namecheap, privacy WHOIS) fronted by an obfuscated subdomain and a long random path string. SPF passed because the message legitimately originated from Microsoft 365 outbound infrastructure. DKIM results were mixed. The link scanner returned a clean verdict because the domain had zero historical reputation data. Three evasion layers worked together: authenticated sending infrastructure from a compromised account, display-name impersonation of a known contact, and a payload URL with no reputation history for scanners to flag. IRONSCALES Adaptive AI detected the behavioral anomaly cluster and quarantined the message before the recipient engaged.
Severity: High Phishing Impersonation Compromised Account MITRE: {'id': 'T1566.002', 'name': 'Phishing: Spearphishing Link'} MITRE: {'id': 'T1586.002', 'name': 'Compromise Accounts: Email Accounts'} MITRE: {'id': 'T1583.001', 'name': 'Acquire Infrastructure: Domains'} MITRE: {'id': 'T1656', 'name': 'Impersonation'}
The display name said it was someone the recipient knew. The sending address belonged to a Moroccan vocational training organization. The subject line referenced a personal trip. And the single link in the body pointed to a domain that had existed for less than a day.
Three evasion layers, each designed to defeat a different class of defense, working in concert. Authentication checks saw a legitimate organizational account. The recipient saw a familiar name. Link scanners saw a domain with no history to flag. Nothing in the signal chain raised an alarm on its own.
A Compromised Educational Account as Sending Infrastructure
The email originated from a mailbox at a Moroccan vocational training organization, a legitimate institution with a long-established domain and active Microsoft 365 infrastructure. The attacker did not spoof the domain. They compromised an account on it and sent the phishing email through the organization's own authenticated mail path.
This is the critical distinction. SPF passed because the message genuinely routed through Microsoft 365 outbound protection (IP 2a01:111:f403:c200::1), which is included in the domain's SPF record. The infrastructure was authorized. The person controlling the mailbox was not.
DKIM results were mixed: the message failed DKIM validation for the organization's onmicrosoft[.]com subdomain but passed via ARC (Authenticated Received Chain) for the primary domain. DMARC produced mixed results as well. For any automated system evaluating authentication signals in aggregate, the picture was ambiguous at worst and passing at best.
This maps to MITRE ATT&CK T1586.002 (Compromise Accounts: Email Accounts). The attacker acquired access to a legitimate organizational mailbox specifically to inherit its sending reputation and authentication posture. No attacker-controlled sending infrastructure was needed.
According to the APWG Phishing Activity Trends Report, compromised accounts at legitimate organizations are increasingly used as phishing relay points because they pass authentication checks that purpose-built attacker infrastructure cannot.
See Your Risk: Calculate how many threats your SEG is missing
Display-Name Impersonation With a Personal Hook
The display name on the email matched a known contact of the recipient. The envelope sender address, a mailbox at a Moroccan educational institution, had no relationship to that person. But most email clients display the friendly name prominently and the actual address in small text or behind a click. The impersonation exploited that UI decision.
The subject line, "Re: Trip in June 2026," reinforced the deception. The "Re:" prefix implied an existing conversation thread. The topic was personal, not professional. Combined with the trusted display name, the message framed itself as a continuation of a private exchange between two people who know each other.
The body was a single sentence: a casual note about shared images and a single URL. No credential request. No payment demand. No urgency language. No corporate branding. No footer. The entire social engineering payload was curiosity: "I saw something that reminded me of you, here are the images."
This is MITRE ATT&CK T1656 (Impersonation) combined with T1566.002 (Phishing: Spearphishing Link). The display-name impersonation provided social context, and the curiosity hook provided motivation to click without any of the urgency triggers that security awareness training teaches users to recognize.
A Same-Day Domain That Scanners Could Not Evaluate
The URL in the email body pointed to hxxps://pdefi.eriegatw[.]com/iaineielehaedirhnrsh. Three layers of obfuscation were stacked into that single link.
The root domain (eriegatw[.]com) was registered the same day the email was sent via Namecheap with privacy protection enabled on the WHOIS record. The domain had zero historical footprint: no prior DNS resolution, no crawl history, no abuse reports, no presence on any blocklist.
The subdomain (pdefi) is an obfuscated string with no semantic meaning. It serves as a campaign or target identifier and adds visual noise that makes the URL harder to parse at a glance.
The path (/iaineielehaedirhnrsh) is a long random string, likely unique per target or per campaign wave. Randomized paths make it harder for threat intelligence platforms to correlate multiple recipients of the same campaign and prevent URL pattern matching.
The link scanner evaluated this URL and returned a clean verdict. That result was a false negative, and it was predictable. Reputation-based scanning depends on historical data. A domain that has existed for hours has no history to evaluate. The scanner had no past abuse, no behavioral baseline, and no blocklist match. Without negative signals, the default classification was clean.
This is MITRE ATT&CK T1583.001 (Acquire Infrastructure: Domains). The domain was a disposable asset, registered for a single campaign and designed to be burned after use.
Three Layers, One Coordinated Evasion
Each evasion layer targeted a different defense:
Layer 1: Compromised account. The legitimate organizational mailbox provided SPF-passing sending infrastructure. Authentication-based filters saw a real organization with a decade-old domain and active Microsoft 365 configuration. No signal to block.
Layer 2: Display-name impersonation. The familiar name made the message look like personal correspondence from a known contact. DMARC does not evaluate display names. Neither does SPF or DKIM. Protocol-level authentication was blind to this layer entirely.
Layer 3: Zero-reputation payload domain. The same-day registration with privacy WHOIS, obfuscated subdomain, and randomized path produced a URL that reputation scanners had no basis to classify. Clean verdict by default.
No single layer was novel. Compromised accounts, display-name impersonation, and fresh domains are all well-documented tactics. The effectiveness came from layering them so that each one covered the detection gap the others left open.
The Signal That Caught It
Content-based analysis had almost nothing to work with. The body was a single sentence with no malicious keywords, no brand impersonation, no urgency, and no credential form. The URL returned clean from the scanner. Authentication was passing.
IRONSCALES Adaptive AI flagged the message on a cluster of behavioral signals:
- Sender-recipient relationship anomaly. The display name matched a known contact, but the sending address had never communicated with the recipient before. That mismatch between claimed identity and actual sending history is a primary impersonation indicator.
- Same-day domain in payload. The URL pointed to a domain with zero prior resolution history and privacy-protected registration, a pattern strongly correlated with disposable phishing infrastructure.
- Social engineering pattern match. A minimal body with a single URL and a curiosity hook, sent from a first-time sender impersonating a known contact, fits the behavioral profile of targeted phishing that avoids content-based detection.
The message was quarantined before the recipient clicked.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sender Domain | ofppt-edu[.]ma | Compromised Moroccan vocational training organization (long-established domain) |
| Sending IP | 2a01:111:f403:c200::1 | Microsoft 365 outbound protection (SPF pass) |
| Attacker Domain | eriegatw[.]com | Registered same day as email, Namecheap, privacy WHOIS |
| Malicious URL | hxxps://pdefi.eriegatw[.]com/iaineielehaedirhnrsh | Obfuscated subdomain + randomized path |
| Authentication | SPF=pass, DKIM=mixed, DMARC=mixed | Compromised account inherits legitimate auth posture |
| Subject | Re: Trip in June 2026 | Personal curiosity lure with fabricated thread prefix |
MITRE ATT&CK Mapping
| Technique | ID | Relevance |
|---|
| Phishing: Spearphishing Link | T1566.002 | Single malicious URL in curiosity-driven email body |
| Compromise Accounts: Email Accounts | T1586.002 | Compromised organizational mailbox used as authenticated sending infrastructure |
| Acquire Infrastructure: Domains | T1583.001 | Same-day registered domain for payload hosting |
| Impersonation | T1656 | Display-name impersonation of known contact |
What Defenders Should Take From This
Treat display-name mismatches as a first-class detection signal. When the display name matches a known contact but the sending address has no prior communication history with the recipient, that divergence is a stronger indicator than any content-based signal in the email body. Behavioral detection that correlates claimed identity against actual sender history catches what authentication protocols cannot.
Do not trust link scanner verdicts on zero-history domains. A clean verdict on a domain registered the same day the email was sent is not evidence of safety. It is evidence that the scanner has no data. Flag same-day registrations with privacy-protected WHOIS as high-risk regardless of scanner output.
Recognize curiosity lures as a distinct social engineering category. Security awareness training focuses heavily on urgency, authority, and fear. Curiosity-based lures, a casual note about shared photos from a familiar name, bypass those trained responses because they feel personal and low-pressure. Train users to verify out-of-band when the message content does not match the sender's known communication patterns, even if the tone feels friendly.
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
