Full Authentication Pass, Zero Legitimacy: How a 26-Day-Old Domain Ran ACH Fraud

The email passed every authentication check. SPF passed. DKIM passed. DMARC passed. The sending domain was 26 days old.

Authentication says the email came from an authorized sender for that domain. It says nothing about whether the domain is a real business, whether the claimed transaction occurred, or whether any of the business identity information is verifiable. In this case, none of it was.

The 27-Day-Old Vendor Domain Timeline

miaminternationalyachtsales[.]com was registered on February 8, 2026. The privacy protection on the registration was complete: registrant name, address, phone, and email were all masked behind a proxy. No business presence associated with the domain name was discoverable at any verifiable address. The phone number provided in the email body resolved to Utah, not to Miami, Florida, where the business name claimed to be headquartered.

The email reached an information-services company on March 5, 2026. The interval between domain registration and attack execution was 25 days. This is a known BEC infrastructure pattern: attackers register fake-vendor domains weeks before use, allowing a minimal aging period to pass before the domain appears in threat intelligence feeds, then execute the campaign before the domain has accumulated enough behavioral data to trigger age-based blocking.

The email was delivered through SendGrid. SendGrid is a legitimate email delivery platform used by thousands of businesses. When an attacker registers a new domain and configures it as a sender in SendGrid, they inherit SendGrid's established infrastructure reputation for the delivery path. The authentication headers reflect SendGrid's signing keys and IP addresses, which pass every check associated with a reputable ESP.

What the ACH Lure Claimed

The subject was "ACH Payment Completed." This framing is specifically designed to trigger action before the recipient verifies. An ACH confirmation implies the payment has already gone through, which means the recipient's accounts payable system has already processed it. The recipient needs to act immediately to determine whether this was authorized, creating urgency without an explicit demand.

The email carried a PDF attachment containing the supposed payment details. The PDF was clean by automated analysis: no malicious links, no embedded scripts, no macro content. The threat was entirely in the social engineering layer. The PDF served to add apparent legitimacy to the notification. A PDF confirmation looks more like a real payment record than a plain-text message.

See Your Risk: Calculate how many threats your SEG is missing

The attacker persona "Robert Lama" was used as the sender name and signing contact. The domain claimed a Miami, Florida business identity. The phone number that appeared in the email geolocated to Utah. This geographic mismatch is exactly the kind of inconsistency that does not survive a 30-second verification call to the number listed for the claimed business, but that verification step does not happen when the recipient believes they are looking at a completed transaction confirmation.

The Authentication-Confidence Gap

IRONSCALES Adaptive AI scored this message at 51% confidence, the lowest of the five cases in this batch. The authentication pass created a genuinely ambiguous signal environment for behavior-based analysis. A domain with full SPF/DKIM/DMARC alignment via a reputable ESP looks, from a headers-only perspective, indistinguishable from a legitimate business sending through the same provider.

Microsoft's anti-spam engine reached a different conclusion independently. The message received CAT:HPHISH, Microsoft's high-confidence phishing classification. This classification is driven by content analysis and campaign pattern recognition rather than authentication verification. The HPHISH label applied despite the clean authentication stack, indicating that the content profile (ACH payment confirmation, new domain, financial urgency) matched patterns Microsoft's models associate with fraud campaigns.

The divergence between Themis at 51% and Microsoft at HPHISH illustrates a real detection challenge: no single system covers all attack vectors equally. A 51% confidence score warrants human review, but it does not represent certainty. HPHISH at the gateway level represents a strong independent signal that should override a borderline behavioral score.

Newly-Registered Financial-Theme Domains as a Blocking Category

Business email compromise via fake-vendor invoice fraud is among the most financially damaging email threat categories. The FBI IC3 annual report consistently places BEC losses ahead of all other cybercrime categories by total dollar value. The pattern here, a newly-registered domain, full authentication via a reputable ESP, financial lure with an urgency trigger, matches the infrastructure fingerprint of thousands of documented BEC campaigns.

DKIM authentication passing through a third-party ESP like SendGrid means the ESP's infrastructure is authenticated, not the domain owner's identity. Any organization can create a SendGrid account for a new domain and send fully authenticated mail within hours of domain registration. The gap between "this domain is authenticated" and "this domain belongs to a real business with a real business relationship with the recipient" is where fake-vendor BEC campaigns live.

For security teams, domain age should be a hard gating signal for financial-theme emails. A domain registered within the past 90 days sending an ACH confirmation, invoice, or payment request warrants a mandatory out-of-band verification step, regardless of authentication result.

External Reference Points

The Verizon DBIR 2026 identifies BEC and pretexting as the fastest-growing financial fraud vectors in the enterprise. The MITRE ATT&CK framework classifies attachment-based spearphishing delivery as T1566.001. CISA specifically advises finance teams to implement callback verification procedures for any ACH or wire transfer instruction received via email, including apparent confirmations of transactions the recipient did not initiate.

---