The Mortgage Login Page That Rode Through Two Security Vendors

The recipient saw a professional mortgage company email with a login prompt, a familiar-looking URL, and a signature block with an NMLS number. The visible URL pointed to 9168050941.lombard[.]finance, which looked like a legitimate internal application. It did not resolve in DNS. The actual click path traveled through two security vendor URL rewriting services before landing on a credential harvesting page hosted on entirely different infrastructure.

The Identity That Didn't Match Itself

The message was sent from sch.sisconthosting[.]com via Amazon SES at IP 54[.]240[.]7[.]39. SPF passed. DKIM passed for both sch.sisconthosting[.]com and amazonses.com. The domain was registered in 2020 through PublicDomainRegistry with a Peruvian registrant.

The visible signature displayed hr@lombard[.]finance as the sender's contact. But the underlying HTML mailto: pointed to fortunato@carpenterhomeloans[.]com, a completely different domain. Anyone clicking the email address in the signature would compose a reply to a domain the attacker controlled, not the one displayed. This display-action mismatch extended to the authority claim: the message included "NMLS # 9168050941" to project regulatory credibility, but no linkage existed between that number and lombard[.]finance.

Two Security Vendors in the Redirect Chain

The "Login and complete tasks" button did not point to lombard[.]finance. The click path was:

1. linklock.titanhq[.]com (TitanHQ LinkLock, a URL rewriting gateway)
2. url-shield.securence[.]com (Securence URL Shield, another URL rewriting service)
3. sch.sisconthosting[.]com/docs/index.html (final landing: credential harvesting page)

Both TitanHQ and Securence are legitimate email security products that rewrite URLs to scan them. Their presence in the redirect chain meant the link appeared to have been vetted by not one but two security tools. If either service scanned the destination at rewrite time and found it clean (perhaps because the harvesting page was not yet live, or because it served benign content to known scanner IPs), the rewritten URL would carry their domain in the path, lending false credibility.

The final destination at sch.sisconthosting[.]com/docs/index.html presented a login form with the text "Login and complete tasks." A 1x1 tracking pixel in the email body confirmed the recipient opened the message before they clicked anything.

What Made It Visible

IRONSCALES flagged the non-resolving displayed URL, the credential harvesting landing page classification, and the display-mailto mismatch in the signature block. The security vendor domains in the redirect chain did not suppress the behavioral signals that the final destination was malicious.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping