The subject line read: "It's heeeere. Your order has been delivered (early!)." Attached to it was a Sephora logo, a product listing for a tartelette tubing mascara primer, a barcode, a UPS tracking number, and a ship-to address in Georgia. Everything about the email looked right. Everything about it was right, technically. SPF passed. DKIM was signed by sephora[.]com. DMARC returned a clean pass with a compauth score of 100. The sending infrastructure belonged to SparkPost, one of the largest commercial email service providers on the planet. Not a single authentication check failed.
That was the problem.
The email arrived at a manufacturing company with no connection to Sephora, no open orders, and no reason to expect a delivery confirmation for cosmetics. But none of that context exists in an authentication header. SPF validated the sending IP (192.174.89[.]65) against spmailtechno[.]com, the bulk-mail domain operated by MessageBird's SparkPost division. DKIM confirmed a valid cryptographic signature under the scph1025 selector for sephora[.]com. DMARC aligned on the header From domain and returned action=none.
For any gateway that relies on SPF, DKIM, and DMARC as primary trust signals, this email was indistinguishable from a genuine Sephora notification. Microsoft's own antispam stack assigned it an SCL of 1 (not spam) and a BCL of 3. The message sailed through.
The body reinforced the deception. Order number, item SKU, a product image, a scannable barcode, a UPS-format tracking number starting with 1Z, an order date, and a residential ship-to address. The formatting matched Sephora's real delivery notification templates down to the "Free & Easy Returns" banner and the "We Belong to Something Beautiful" footer. Even the Reply-To pointed to customerservice@sephora[.]com.
Every call-to-action in the email routed through Narvar, a legitimate post-purchase experience platform used by hundreds of retailers. The primary CTAs, "SEE ORDER DETAILS" and the tracking number link, resolved to hxxps://cta[.]narvar[.]com/f/a/ followed by a long, opaque Base64 token. These tokenized redirectors are standard in retail email workflows. They enable click tracking, session management, and analytics. They also make it impossible for a recipient (or a scanning engine) to determine the final destination without following the redirect.
The email contained over 15 unique Narvar redirect URLs. Each one carried different session tokens and routing parameters. Mixed in were two direct links to sephora[.]com using plain HTTP rather than HTTPS:
| IOC | Type | Context |
|---|---|---|
hxxps://cta[.]narvar[.]com/f/a/{token} | Redirect CTA | Primary action buttons, 15+ unique tokens |
hxxp://www[.]sephora[.]com/customerService/contactUs[.]jsp | HTTP link | Footer "Contact Us" (not HTTPS) |
hxxp://www[.]sephora[.]com/contentStore/mediaContentTemplateNoNav[.]jsp | HTTP link | Footer "Privacy Policy" (not HTTPS) |
hxxps://tracking[.]narvar[.]com/sephora/tracking/ups?... | Tracking redirect | Carrier tracking with JWT session token |
hxxps://corp[.]narvar[.]com/survey?carrier_name=ups&... | Survey redirect | Post-delivery survey with tracking number |
| 192.174.89[.]65 | Sending IP | SparkPost MTA (PTR: mta-89-65[.]sparkpostmail[.]com) |
| spmailtechno[.]com | SPF domain | MessageBird bulk-mail infrastructure |
The HTTP links are a subtle but important signal. Modern commerce platforms enforce HTTPS across all customer-facing pages. Serving privacy policy and contact links over unencrypted HTTP is either a template misconfiguration or an indicator that the link destinations have been swapped. Either way, it breaks the pattern a security-aware recipient would expect from a Fortune 500 retailer.
This attack leverages multiple techniques from the MITRE ATT&CK framework:
This is the pattern that makes retail phishing so effective. Attackers do not need to register lookalike domains or compromise mail servers. They can send through the same ESPs that legitimate brands use, sign with valid DKIM keys, pass every authentication check, and wrap their payloads in redirect chains that belong to trusted third-party platforms. According to the Microsoft Digital Defense Report 2024, phishing remains the most common initial access vector, and attacks leveraging legitimate infrastructure to bypass authentication have surged. The FBI IC3 2024 report recorded over $2.7 billion in business email compromise losses, with retail-themed lures as a growing vector targeting corporate mailboxes. The Verizon DBIR consistently shows that pretexting attacks, where the lure mimics a legitimate business communication, succeed at higher rates than generic phishing.
The two HTTP links buried in the footer represent a real detection signal. But catching that signal requires inspecting link schemes across the entire message body and comparing them to expected brand behavior. That is not something SPF, DKIM, or DMARC were built to do. Those protocols answer one question: "Did this domain authorize this sender?" When the answer is yes, and the sender is a globally trusted ESP, the message passes.
The IRONSCALES community flagged this email. Across 1,921 organizations and more than 35,000 security professionals, the collective intelligence network identified the delivery notification as suspicious and triggered quarantine. The behavioral signals were straightforward: a cosmetics delivery confirmation arriving at a manufacturing company, sent to an employee with no retail purchasing role, from a brand with no business relationship to the organization. None of those signals appear in an authentication header. All of them are visible to a human analyst, and to AI trained on cross-organizational behavioral patterns.
Microsoft's Safe Links rewriting was present in the HTML, but Safe Links inspects at click time within the tenant. It does not evaluate whether the email itself belongs in the mailbox. The CISA phishing guidance emphasizes that technical controls alone are insufficient and that organizational awareness combined with behavioral detection is critical. Osterman Research has documented the growing gap between authentication-based defenses and the social engineering tactics that bypass them entirely.
Authentication is necessary but not sufficient. This email scored compauth=100. SPF, DKIM, DMARC all passed. SCL was 1. Every reputation signal said "trust this message." If your email security strategy begins and ends with authentication, this email lands in every inbox, every time.
Redirect chains obscure intent. Over 15 Narvar redirect URLs with opaque Base64 tokens made it impossible to determine final destinations without following each link. Legitimate retail platforms use the same redirect architecture that attackers exploit. Blocking the redirector means blocking the vendor.
Context beats reputation. The single most useful detection signal was that a Sephora delivery notice arrived at a company that does not buy from Sephora. That requires understanding the relationship between sender and recipient organization, something no authentication protocol measures.
HTTP in an HTTPS world is a red flag. Two footer links served over plain HTTP in a 2026 retail email are an anomaly. Automated systems that check link scheme consistency across message bodies would catch this. Most do not.
See Your Risk: Calculate how many threats your SEG is missing