TL;DR A packaging manufacturer's Director of Finance received a 'Document Completion' renewal email sent via a compromised dairy brand's SendGrid account. The lure passed full SPF/DKIM/DMARC authentication. Its 'Review Document' link routed through a Mailchimp tracker and an unrelated domain before landing on a legitimate IRS PDF, a trust anchor that launders the redirect chain's reputation. The attacker's explicit credential prompt ('log in with your email and password') and cross-brand sender mismatch were the tell. Themis flagged it at 90% confidence before any recipient clicked.
Severity: High Credential Harvesting Esp Abuse Redirect Chain Vip Targeting MITRE: {'id': 'T1566', 'name': 'Phishing'} MITRE: {'id': 'T1566.002', 'name': 'Phishing: Spearphishing Link'} MITRE: {'id': 'T1598', 'name': 'Phishing for Information'} MITRE: {'id': 'T1078', 'name': 'Valid Accounts'} MITRE: {'id': 'T1110', 'name': 'Brute Force / Credential Access'}
The email looked routine. A document-completion notice, an accounts-payable reference number, a polite instruction: "Please login with your email and password at the link below." The sender passed every authentication check the gateway ran. And the link, when scanned, resolved to an official IRS PDF.
None of that was real.
What security tooling saw was a triple-laundered message: a dairy brand's compromised SendGrid account carrying a fake document portal, routing through a Mailchimp tracker and an unrelated logistics domain, landing on a legitimate government form as a trust anchor. What the attacker wanted was the email and password of a Director of Finance at a packaging manufacturer: a VIP recipient targeted by role, not by accident.
Themis, IRONSCALES' Adaptive AI, flagged the campaign at 90% confidence and auto-resolved it before any affected mailbox interacted. Here is how the attack was built and why conventional filters missed it.
The Sender Mismatch That Authentication Can't See
The message arrived from "eFiler" , a consumer dairy brand. Its authentication record was clean:
- SPF: pass (SendGrid IP
159.183.231[.]27 authorized by summitstationdairy[.]com)
- DKIM: pass (
d=summitstationdairy[.]com; s=sg)
- DMARC: pass (
p=quarantine, strict alignment)
Every gateway check that operates on authentication headers would score this message as legitimate. The domain was registered in 2020, Cloudflare-hosted, with a real DMARC policy and a properly configured SendGrid bounce subdomain (em3787.summitstationdairy[.]com).
The problem is that authentication only certifies the mail infrastructure. It says nothing about whether the person controlling that SendGrid account is the dairy brand's marketing team or an attacker who compromised or created an account in their name. DMARC passes when the header.from domain matches an authorized sender. It does not validate intent, content, or the relationship between the sender and the recipient.
The email's content made the mismatch explicit: the body claimed to be from a packaging company, referenced an accounts-payable document (AR/AP_CI30346), addressed a recipient at a packaging company's domain, and was signed by a dairy brand. No legitimate secure-document workflow produces this combination.
See Your Risk: Calculate how many threats your SEG is missing
The Redirect Chain and the IRS Trust Anchor
The primary call to action, a "Review Document" button, did not lead to a credential-harvest page directly. It routed through a multi-hop chain designed to exhaust automated scanners before revealing intent.
Chain reconstruction:
hxxps://fbcgonzales[.]us9[.]list-manage[.]com/track/click?e=8ea55e5240&id=24d58590b6&u=5577d0a4dd4b63ae22eab60d8 (Mailchimp click tracker)hxxp://stransportesgodoy[.]com (unrelated transport/logistics domain, 302 redirect)hxxps://www[.]irs[.]gov/pub/irs-pdf/f1040v.pdf (IRS Form 1040-V, a legitimate government PDF)
The final destination is benign by any measure. When a URL scanner follows redirects and reaches irs.gov, it returns a clean verdict and moves on. That is the architecture's purpose: the trust anchor at the end of the chain launders the reputation of the chain itself.
The Mailchimp tracker in the first hop provides two additional benefits for the attacker. First, it masks the intermediate domain (stransportesgodoy[.]com) from any static link inspection that reads the raw URL without following it. Second, it provides the attacker with click telemetry: who clicked and when. If the campaign's endpoint needs to be swapped (from the IRS PDF to the actual harvest page), the tracker gives them the mechanism: update the redirect without changing the email.
A parallel set of click-tracking URLs used the SendGrid tracker domain (url4158.summitstationdairy[.]com) directly, pointing to the same IRS destination. This redundancy suggests operational awareness: if one tracking domain is blocked, the other carries the load.
The Credential Prompt: Hiding in Plain Sight
The subject line read: "Please Accept: Renewal Terms_528832 EVE8643." The body, rendered in clean minimal HTML, presented as a "Document Completion" notice from an entity called "Everpack." The fields were specific enough to suggest a real document workflow:
- Document type: AR/AP_CI30346
- Recipient: a packaging company's domain
- Date: the message date
Below the document metadata, the instruction was explicit: "Please login with your email and password at the link below."
No legitimate e-signature platform, document portal, or secure file service asks users to enter their mailbox password to access a shared document. Platforms like DocuSign, Adobe Sign, and SharePoint authenticate via SSO or a one-time access link, not a raw email-and-password prompt. The request itself is the tell, regardless of how polished the surrounding HTML is.
The "Manage preferences" footer link pointed to a Kajabi-branded preference center (email.kjbm.kandccreative[.]com), a different marketing platform with no connection to the dairy brand, the document pretext, or the packaging industry. Its presence signals that the message template was assembled from components of multiple marketing toolkits, not produced by any coherent business system.
Why Conventional Filters Missed It
Three properties of this attack combine to defeat gateway-layer filtering:
Authentication pass. The message was genuinely sent through a SendGrid account authorized for summitstationdairy[.]com. There was nothing to block at the SPF/DKIM/DMARC layer. According to the Verizon 2026 DBIR, 39% of breaches involve stolen credentials, and a significant portion of credential-theft delivery infrastructure now rides on legitimate ESPs precisely because authentication checks create a false sense of safety.
Clean link verdict. The redirect chain ends on irs.gov. Any scanner that follows the full chain returns a clean verdict. Attackers understand that URL reputation systems score the final destination, not the chain that leads to it. The CISA guidance on phishing emphasizes hovering over links and verifying destinations, but that advice assumes the destination visible to a scanner is the destination the user sees, which redirect-chain abuse specifically breaks.
First-time sender, no prior relationship. The dairy brand had never sent to this organization before. No sender-recipient history, no industry relationship, no plausible business context. Signature-based systems have nothing to match against. This is the gap behavioral analysis must fill.
IRONSCALES' Adaptive AI correlated the signals no single filter addresses: cross-brand sender mismatch, first-time sender status, explicit in-body credential request, redirect-chain anomaly, and community signal from similar incidents across the IRONSCALES network. The result was a 90% phishing confidence score, a Credential Theft label, and automatic resolution across all five targeted mailboxes. The FBI IC3 2024 report identifies credential theft and BEC as the most financially damaging cybercrime categories; attacks like this one are the delivery mechanism.
Defensive Takeaways
Behavioral context over authentication headers. SPF/DKIM/DMARC passing means the infrastructure is authorized. It does not mean the campaign is legitimate. Defenses that stop at authentication will pass every ESP-abuse attack that uses a real authorized account.
Flag in-body credential requests. Any email that asks a recipient to enter their email address and password, regardless of sender reputation, warrants immediate review. Legitimate document platforms do not ask for raw mailbox passwords.
Model sender-recipient relationships. A first-time sender whose domain has no industry relationship to the recipient, whose content references a third company, and who requests credentials is highly suspicious. The combination of signals is what matters, not any single factor.
Redirect-chain depth analysis. Tooling that evaluates only the final URL in a redirect chain is blind to intermediate infrastructure. The pivot hop (stransportesgodoy[.]com) is where the attacker's control lives. Stopping at the IRS PDF misses it entirely.
VIP targeting signals. Finance leadership are disproportionately targeted because their access is high-value: accounts-payable, banking portals, ERP systems. The specificity of this lure reflects profiling, not spray-and-pray. Role-aware threat monitoring surfaces these campaigns earlier.
---
Indicators of Compromise
| Indicator | Type | Notes |
|---|
noreply91940@summitstationdairy[.]com | Sender email | Abused SendGrid account; authenticated |
summitstationdairy[.]com | Sender domain | Consumer dairy brand; SendGrid-authorized; not malicious operator |
em3787.summitstationdairy[.]com | Bounce/ESP subdomain | SendGrid bounce path |
159.183.231[.]27 | Sending IP | SendGrid outbound (s.wfbtztkb.outbound-mail.sendgrid[.]net) |
fbcgonzales[.]us9[.]list-manage[.]com | Redirect hop 1 | Mailchimp click tracker; masks intermediate domain |
stransportesgodoy[.]com | Redirect hop 2 | Unrelated logistics domain; 302 to IRS PDF |
www[.]irs[.]gov/pub/irs-pdf/f1040v.pdf | Redirect endpoint | Legitimate IRS Form 1040-V; used as trust anchor |
url4158.summitstationdairy[.]com | Click tracker | SendGrid tracker; alternate path to same IRS destination |
email.kjbm.kandccreative[.]com | Footer link | Kajabi preference center; unrelated to pretext |
Please Accept: Renewal Terms_528832 EVE8643 | Subject line | Urgency/reference-number pattern; variant subjects observed |
---
MITRE ATT&CK Techniques
| ID | Name | How It Applies |
|---|
| T1566 | Phishing | Core delivery mechanism via email |
| T1566.002 | Phishing: Spearphishing Link | Malicious "Review Document" link with redirect chain |
| T1598 | Phishing for Information | Explicit in-body credential request |
| T1078 | Valid Accounts | Target: finance leadership credentials for downstream access |
| T1110 | Brute Force / Credential Access | Intended outcome: harvested email + password enabling account access |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
