Most phishing campaigns work hard to appear legitimate. This one forgot to finish building itself. A SharePoint impersonation email delivered via SendGrid arrived with its template merge variables still visible in the rendered body: {CURRENT_DATE} and {RECIPIENT_DOMAIN_NAME} displayed as literal text where personalized content should have been. Despite this obvious construction error, the message passed SPF, DKIM, and DMARC checks cleanly.
The email was sent from noreply@sixcentpress[.]com using SendGrid infrastructure (IP 149.72.120[.]62, PTR s.wrqvtvpz.outbound-mail.sendgrid[.]net). It impersonated a Microsoft SharePoint notification with a "View page" call-to-action button. The CTA linked to a SendGrid click-tracking URL under url9106.sixcentpress[.]com, which redirected to a third-party landing page at hightechconstructinc[.]com.
This is a first-time sender to the target organization, and the sending domain has zero affiliation with Microsoft.
The technical execution reveals a phishing kit that automates campaign deployment across multiple targets. Template placeholders like {CURRENT_DATE} and {RECIPIENT_DOMAIN_NAME} are standard merge fields in mass-mailing frameworks. When the merge engine populates them correctly, each recipient sees a personalized date and their own organization's name, which makes the SharePoint notification look authentic. When it fails, the raw variable names appear, exposing the machinery.
The sending domain sixcentpress[.]com was registered at DreamHost in 2004 with a recent WHOIS update. Registrant details are privacy-protected. The domain was configured to authorize SendGrid for delivery: SPF passed for the sending IP, DKIM was signed with d=sixcentpress[.]com, and DMARC passed with composite authentication confirmed.
The return-path (bounces+3963409-6ce3-[recipient-encoded]@em3237.sixcentpress[.]com) follows SendGrid's standard bounce-handling format, encoding the recipient address in the local part. This is how SendGrid tracks delivery per-recipient, but it also means the return-path leaks information about the target.
The message loaded images from mixed third-party domains (social media icons for platforms like Facebook and Twitter), which is common in bulk marketing templates repurposed for phishing. The visual design mimicked Microsoft SharePoint notifications, complete with the "View page" button styled to match Microsoft's UI patterns.
The unreplaced placeholders are a forensic gift. They confirm this is a template-driven mass campaign, not a targeted spearphishing operation. They also reveal the intended personalization strategy: the kit was designed to insert the current date and the target organization's domain into the email body, which would have made the SharePoint notification appear specific to the recipient's company. The merge failure turned a potentially convincing impersonation into an obvious fake.
The click-tracking URLs are the primary attack vector. The url9106.sixcentpress[.]com/ls/click?... redirect chain ultimately lands on hightechconstructinc[.]com, where automated page analysis returned a "partial" verdict. This intermediate redirect is the reason URL scanners that only evaluate the initial domain often miss the threat: sixcentpress[.]com is not on most blocklists, and the final destination only resolves after following the redirect.
See Your Risk: Calculate how many threats your SEG is missing
A traditional SEG sees valid SPF, DKIM, and DMARC results and makes a binary pass/fail decision. The template placeholders, the domain-brand mismatch, and the redirect chain all require contextual analysis that goes beyond authentication.
Themis, the IRONSCALES Adaptive AI, evaluates the relationship between the sending domain and the impersonated brand, detects template artifacts in message bodies, and traces redirect chains through intermediary domains. When the sending domain has no historical association with Microsoft but the visual content mimics SharePoint, the mismatch becomes a high-confidence signal.
The IRONSCALES community-driven threat intelligence network compounds this signal. When multiple organizations report similar SharePoint impersonation patterns from the same sending infrastructure, the collective data accelerates blocking for all protected mailboxes. Research shows that 67.5 phishing emails per 100 mailboxes per month bypass traditional secure email gateways, and brand-impersonation campaigns like this one account for a significant share.
| Indicator | Type | Context |
|---|---|---|
sixcentpress[.]com | Domain | Sending domain, DreamHost registration, privacy-protected |
149.72.120[.]62 | IP | SendGrid sending IP |
url9106.sixcentpress[.]com | Domain | SendGrid click-tracking redirect domain |
hightechconstructinc[.]com | Domain | Final landing page destination |
em3237.sixcentpress[.]com | Domain | SendGrid bounce-handling subdomain |
noreply@sixcentpress[.]com | Sender address |
| Attack | What happened |
|---|---|
| Closing Settlement for Ironscales: A Trello Template Weaponized with Stolen Brand Identity | A Trello notification template carrying Atlassian branding, a Brazilian sending domain with full SPF/DKIM/DMARC authentication. |
| Every Link Is Amazon: How Legitimate Infrastructure Becomes the Phishing Payload | A phishing email passed SPF, DKIM, and DMARC with a perfect compauth score of 100. |
| A Voicemail That Never Rang: How Attackers Chained Three ESPs to Launder Email Authentication | Attackers chained SendGrid, Mailchimp, and ActiveCampaign Pages to deliver a voicemail-themed credential harvester that passed SPF and DKIM while... |
| The Email That Passed Every Security Check (Because Adobe Sent It) | A phishing campaign targeting school district staff used Adobe's own sending infrastructure, real DKIM signatures. |
| The Phishing Infrastructure Was Canva. The Delivery Mechanism Was Canva. The Authentication Was Canva. | An attacker signed up for Canva, built a phishing lure as a design, and used the platform's own sharing feature to deliver it. |