The email had no SPF record. No DKIM signature. No DMARC policy. Zero email authentication of any kind.
And yet it landed in the inbox of an employee in the finance department at a regional financial institution, passed the organization's security gateway, and asked them to scan a QR code to view a consolidated financial document.
The attacker didn't need authentication. They needed the display name to look right, the QR code to redirect through Microsoft-branded short URLs, and the financial subject line to convince one person in accounting to pull out their phone. That's it.
The "from" field is the first thing most recipients read, and it is the most easily forged. In this attack, the sender display name was "mySharePointDrive-id:JSENUL8JVCKET0E," a format designed to mimic the kind of auto-generated notification IDs that SharePoint and Microsoft 365 routinely include in system alerts and file-sharing emails.
The actual sending address was info@nautical[.]pl, a domain registered in Poland in December 2017 with nameservers pointing to ns1.masternet[.]pl and ns2.masternet[.]pl. No DMARC record. No SPF record. No DKIM signature on the outbound mail. There is no technical assertion of any kind that this email came from Microsoft or from any system the recipient's organization operates.
MITRE ATT&CK T1036.005 (Masquerading: Match Legitimate Name or Location) describes exactly this technique: using display names, formatting conventions, and identifier strings that pattern-match against what recipients expect from internal systems. The goal is to trigger familiarity before the recipient looks past the surface.
For most recipients, it works. The subject line read "February 2026 Consolidated Financials," which is exactly the kind of document that belongs in a finance department inbox during the first quarter. The combination of a plausible internal-looking sender ID and a contextually relevant subject line is designed to compress the mental review process from "should I trust this?" to "this is probably fine."
The message didn't originate from a legitimate mail server. It came from 198[.]7[.]56[.]52, a FireVPS-RDP endpoint. FireVPS is an unmanaged VPS hosting provider often used by threat actors because it offers cheap, anonymous infrastructure with minimal abuse controls. A VPS leased for a single campaign costs less than a decent lunch.
From there, the email was routed through mx.s5.masternet[.]pl, a Polish relay running Exim version 4.92.1. Exim 4.92.1 was released in 2019, and multiple known vulnerabilities affecting that version line have been documented since, though the relay is used here as a forwarding mechanism rather than the initial compromise point. The delivery chain then passed through a Votiro relay before reaching Office 365.
This two-hop relay structure (VPS origin, then a commercial Polish mail relay) is a deliberate obfuscation choice. It makes the true origin harder to identify at a glance, and it takes advantage of the relay's established delivery history to reduce initial filtering scrutiny. The Verizon 2025 Data Breach Investigations Report noted that attackers are increasingly using multi-hop delivery chains specifically to separate the phishing payload from its actual source infrastructure.
None of this would matter if basic authentication records existed. A published SPF policy that listed no sending servers for nautical.pl would immediately flag this email as unauthorized. A DMARC policy of reject would block it outright.
The attacker's lack of authentication isn't an oversight. It's the strategy. Domains with no authentication records don't fail authentication checks, they simply produce no verdict, and many gateways treat no verdict as a pass.
The email body contained malformed financial figures (the kind of garbled output that appears when mass-phishing templates fail to populate placeholder variables correctly) alongside a single primary CTA: "Scan to view document," above a QR code image.
QR code phishing has grown steadily because it exploits a specific gap in enterprise security architecture. Email security gateways that scan hyperlinks in message bodies cannot read a URL embedded inside a raster image. The CISA advisory on QR code phishing (quishing) published in 2023 called this out directly: malicious QR codes bypass gateway scanning entirely because the malicious URL only resolves after the image is read by a camera, on a device that is almost certainly not protected by corporate EDR or email security controls.
The email also included hyperlinked text. Those links used Microsoft's own short URL infrastructure: krs[.]microsoft[.]com/redirect?id=-crYd9Lj and aka[.]ms/krs?id=-crYd9Lj, along with a second aka[.]ms link. Both aka.ms and krs.microsoft.com are legitimate Microsoft URL shorteners. Their reputation scores in virtually every URL-filtering database reflect that. An email containing only aka.ms links looks, from a URL-reputation perspective, like it's pointing to Microsoft content.
The display text on those links was "Outlook for iOS." In an email about February 2026 Consolidated Financials. That mismatch is a clear signal of a mass-phishing template where the link targets were set in one pass and the display text was never updated. The IBM X-Force Threat Intelligence Index 2025 identified phishing-as-a-service platforms as a primary driver of exactly this kind of sloppy-but-functional template deployment: the kits are cheap, the templates are imperfect, and the campaigns still produce results because volume compensates for error rates.
Here is the part that matters for security teams doing a post-mortem: the absence of SPF, DKIM, and DMARC is not the same as a failed authentication check, and most Secure Email Gateways (SEGs) treat the two very differently.
A failed SPF check means the sending server is not authorized by the domain's SPF record. That is a clear negative signal and gateways act on it. An absent SPF record means no authorization policy exists at all. Many gateways apply a permissive default to domains with no authentication configuration, because a substantial amount of legitimate email still comes from small domains that have never published authentication records. The attacker relies on that permissiveness.
IRONSCALES analysis across 1,921 organizations found that SEGs miss an average of 67.5 phishing emails per 100 mailboxes per month. A significant portion of that gap consists of emails from domains with no authentication records, where the absence of a definitive "fail" verdict becomes de facto clearance.
MITRE ATT&CK T1566.002 (Spearphishing Link) covers this delivery pattern: a link-bearing email designed to direct user action toward an attacker-controlled destination. The QR code variant adds T1204.001 (User Execution: Malicious Link) to the chain, because the attack only completes when a user scans the code on a mobile device.
Themis, the IRONSCALES Adaptive AI virtual SOC analyst, classified this email as Credential Theft targeting a VIP Recipient at 89% confidence, then automatically quarantined it. The detection relied on signals that authentication records cannot provide: sender-recipient relationship history (first-time sender, no prior communication), display name format inconsistency with the actual sending domain, link display text that has no relationship to the email's stated purpose, and community threat intelligence from IRONSCALES network of over 35,000 security professionals who had already flagged similar FireVPS-originating campaigns in preceding weeks.
The Microsoft Digital Defense Report 2024 noted that attackers are specifically targeting credential theft against finance function employees because access to financial systems, wire-transfer workflows, and accounts payable queues provides a direct monetization path. A compromised finance employee is one approved transaction away from a significant loss event.
Four specific, actionable steps:
Block or sandbox QR code images in email. Several email security platforms offer QR code extraction and URL detonation as an add-on capability. If your gateway doesn't inspect QR codes, that is a named gap in your coverage. Document it and escalate accordingly.
Flag emails with zero authentication as a distinct risk tier. Absent SPF/DKIM/DMARC is not the same as a pass. Segment your gateway's verdict logic so that emails from domains with no published authentication policy receive additional behavioral scrutiny, not blanket permissive routing.
Train your finance team to verify document requests through a second channel. "Scan to view your February financials" is an unusual delivery mechanism for internal financial documents. A 30-second Slack message to the supposed sender before scanning is a practical countermeasure. Security awareness training should address QR code phishing specifically, not just generic link-click scenarios.
Check link display text against link destinations. An "Outlook for iOS" hyperlink in a financial document email is a contradiction that should trigger immediate scrutiny. If your gateway can surface display text/destination mismatches as a detection signal, enable it.
| Type | Indicator | Context |
|---|---|---|
| Sender address | info@nautical[.]pl |
Sending address; display name spoofed to mimic internal SharePoint notification |
| Domain | nautical[.]pl |
Registered 2017-12-27; nameservers ns1/ns2.masternet[.]pl; zero authentication records |
| IP | 198[.]7[.]56[.]52 |
FireVPS-RDP origin server; unmanaged VPS infrastructure |
| Mail relay | mx.s5.masternet[.]pl |
Polish relay (Exim 4.92.1); forwarding hop between VPS origin and Office 365 |
| Domain | masternet[.]pl |
Relay infrastructure; also hosts nautical.pl nameservers |
| URL | krs[.]microsoft[.]com/redirect?id=-crYd9Lj |
Microsoft short link (legitimate infrastructure abused); displayed as "Outlook for iOS" |
| URL | aka[.]ms/krs?id=-crYd9Lj |
Microsoft short link (legitimate infrastructure abused); displayed as "Outlook for iOS" |
| URL | aka[.]ms/o0ukef |
Microsoft short link (legitimate infrastructure abused) |
| Display name | mySharePointDrive-id:JSENUL8JVCKET0E |
Crafted to mimic internal SharePoint notification identifier |