The email looked like a routine Microsoft 365 password expiry notice. Sender name: "Front Desk-Service." Subject line stamped with yesterday's date. A blue button urging the recipient to stay on their current password before the deadline.
What it actually was: a three-layer evasion stack delivering a Shopify-hosted credential harvesting kit, where every part of the delivery chain was specifically designed to look clean to automated scanners.
The CTA button linked to a legitimate-looking shortener service. That URL contained a redirect_url parameter pointing to a subdomain of a real conservation organization in Argentina. Standard redirect-chain behavior, nothing unusual there.
The destination URL for that redirect, however, was malformed. The scheme and host were present but the path was empty. What followed the # fragment delimiter was a long Base64 string:
`` hxxp://6c.vkfws.parquepatagoniaargentina[.]org://#aHR0cHM6Ly9zZXJlbml0eWphZGVi... ``
Decoded, that Base64 resolves to:
`` hxxps://serenityjadebundles[.]com/wahalawahalawahala/nibojapaomoiyami/Ironscales/[recipient-email] ``
The subdomain (6c.vkfws) is NXDOMAIN and effectively disposable. Its only purpose is to carry the Base64 payload in the fragment. The parent domain belongs to a legitimate conservation organization with DMARC enforcement in place. It was never a participant in this attack.
Here is why this matters for scanners: URL fragment identifiers (#...) are processed by the browser, client-side. They are not sent to the server in HTTP requests. Many link-scanning tools evaluate the stated redirect target at the network level and stop there. If the scanner doesn't spin up a browser context and execute the fragment-based redirect, it never reaches serenityjadebundles[.]com. It sees a malformed URL pointing at an NXDOMAIN subdomain of a reputable conservation org. It moves on.
The real landing page stays invisible.
serenityjadebundles[.]com resolves to Shopify hosting. Registered in 2019, most recently updated in February 2025, the domain nameservers are Google Domains. On the surface: an ordinary small business site on a mainstream commerce platform.
That is exactly the point.
Shopify domains inherit the platform's aggregate reputation. Security tools that evaluate URLs against blocklists and reputation scores tend to treat Shopify-hosted pages as low-risk by default. Registering a dedicated phishing domain leaves fingerprints: fresh registration dates, obscure TLDs, privacy-proxy WHOIS, hosting on known bulletproof infrastructure. Abusing an established domain on a trusted platform leaves far fewer.
The path structure embedded the recipient's email address: .../Ironscales/[recipient-email]. This is standard practice for commodity phishing kits. The harvesting page auto-fills the email field on load so the victim sees their own address pre-populated, reinforcing the illusion that this is a legitimate Microsoft 365 portal session. It also enables the attacker to track which specific addresses clicked through.
By the time this campaign was active, Shopify had already become a known vector for credential harvesting. According to the Microsoft Digital Defense Report 2024, legitimate cloud services are increasingly the preferred hosting environment for phishing infrastructure precisely because they benefit from established trust relationships with security tooling.
See Your Risk: Calculate how many credential theft attempts your current gateway is missing
The Base64 fragment trick was the headline, but the message was constructed with additional filter-bypass logic throughout.
Layer 1: Base64 fragment redirect. Covered above. Link scanners that evaluate redirect chains at the network layer, without executing fragment-based client-side navigation, never see the Shopify destination.
Layer 2: Personalized Shopify path. The recipient email address embedded in the URL path is not just a tracking mechanism. It also means every harvesting URL is unique per target. Blocklist-based detection that compares against known-bad URLs fails when every URL is slightly different.
Layer 3: Zero-width Unicode in button text. The CTA button label included invisible Unicode characters interspersed throughout the visible text. Rendered in a browser, the button reads normally. At the string level, the text is broken into fragments that don't match known-bad signatures. This technique has appeared in other campaigns using Unicode obfuscation (including a DocuSign impersonation with right-to-left override characters we covered recently). It is becoming table stakes in commodity kits.
The sending infrastructure rounded out the picture. The email came from a law firm domain via Amazon SES with valid SPF and DKIM. The problem: both authentication records aligned to amazonses.com, not to the law firm's own domain. The law firm domain published no DMARC record. So composite authentication failed, but there was nothing to enforce on. The message delivered cleanly.
Verizon's 2024 Data Breach Investigations Report found that phishing remains the most common initial access technique in confirmed breaches, present in 68% of social engineering incidents. The FBI's 2024 IC3 Internet Crime Report put credential theft-related losses at multi-billion dollar scale annually. Attacks like this one illustrate why those numbers don't move: the evasion investment is low, the tooling is commoditized, and each individual layer looks harmless in isolation.
Each evasion layer on its own is manageable. Together, they create a compound problem for tools that evaluate signals in isolation.
The redirect URL scores clean because the destination is NXDOMAIN. The Shopify domain scores clean because of platform reputation. The button text passes string matching because the tokens are fragmented by invisible characters. The sender authentication passes SPF and DKIM checks because SES signed it legitimately, even though DMARC alignment failed.
IRONSCALES Themis flagged this within seconds of delivery, with 90% confidence on Credential Theft, before any user interaction. The detection wasn't built on any single signal. It correlated the authentication failure pattern (compauth=fail on a DMARC-none domain), the first-time sender with no business relationship to the recipient, the obfuscated link structure, and the urgency header stack (Priority: urgent, X-Priority: 1, Importance: high) as a compound fingerprint of credential-theft behavior. The message was quarantined automatically.
The IRONSCALES Adaptive AI approach to this class of attack is behavioral, not signature-based. Fragment-based redirect chains don't have known-bad signatures at the point of delivery. What they do have is a pattern: obfuscation, authentication misalignment, urgency signals, first-time sender, and a harvesting kit on a platform with high ambient reputation. That pattern is detectable even when every individual component looks clean.
For teams using credential harvesting protection, this case is a useful calibration point on what to expect from the current generation of commodity kits.
Three direct takeaways from this campaign:
Verify that your URL scanning executes redirects. Static analysis of redirect URLs is increasingly insufficient. If your scanning infrastructure doesn't spin up a browser context and follow fragment-based redirects, an entire class of evasion techniques is invisible to it. Ask your vendor explicitly: does link scanning execute JavaScript and follow client-side navigation?
Don't treat platform reputation as a safety signal. Shopify, Google Sites, OneDrive, Dropbox: attackers use all of them. A URL pointing at a reputable platform hostname is not inherently safer than one pointing at a fresh attacker domain. Content analysis and behavioral signals matter more than hostname reputation alone.
Enforce DMARC on your own domain. The sending domain in this campaign published no DMARC record, which meant composite authentication failure had no consequence. If your organization's domain is in the same position, it's available as spoofing infrastructure. IRONSCALES DMARC management gives security teams visibility into domain posture and enforcement gaps. Per CISA's phishing guidance, DMARC enforcement at reject or quarantine is a baseline control recommendation.
The Verizon DBIR consistently shows that credential theft attacks succeed not because defenders lack awareness, but because the detection chain has gaps that attackers have already mapped. The fragment redirect trick isn't new. Neither is Shopify abuse. What's notable here is seeing all three evasion layers deployed together in a commodity campaign, suggesting these techniques have moved from targeted to routine.
| Type | Indicator | Context |
|---|---|---|
| URL | hxxp://qtd[.]io/r?a=click&c=lk5j-bf-email05&l=social-share-linkedin&redirect_url=... | Initial redirector with encoded destination |
| Domain | 6c.vkfws.parquepatagoniaargentina[.]org | Decoy/carrier host; NXDOMAIN subdomain carrying Base64 fragment |
| Domain | serenityjadebundles[.]com | Shopify-hosted credential harvesting kit |
| URL | hxxps://serenityjadebundles[.]com/wahalawahalawahala/nibojapaomoiyami/ | Harvesting path (recipient email appended as final path segment) |
mbalaban@balaban-law[.]com | Sender address; law firm domain with no DMARC record | |
| IP | 69[.]169[.]224[.]17 | Amazon SES EU-Central relay (b224-17.smtp-out.eu-central-1.amazonses[.]com) |
| Header pattern | Priority: urgent + X-Priority: 1 + Importance: high | Triple urgency stack; common credential-theft delivery fingerprint |