An email arrives claiming to be from a healthcare provider that has been operating since 1995. The subject is "Invoice Payment." There is no attachment. There is a green button that says "Open document." The domain in the From header has been around for three decades. The button goes nowhere near that domain.
This is a forged-sender redirect attack. The goal is to use a trusted name in the From line while routing the actual click through services the attacker does not control and the victim has no reason to distrust.
The message displayed a sender affiliated with a healthcare organization whose domain was registered in October 1995. That longevity matters to spam filters: old domains carry accumulated reputation, and that reputation is part of what attackers want to borrow.
But the authentication chain told a different story. DKIM failed. The body-hash did not verify against the published selector, meaning either the message was modified after signing or the DKIM signature was never valid for the final From domain. DMARC policy on the sender domain was p=quarantine, and because DKIM alignment failed, DMARC acted on that policy.
The SPF picture was split. An earlier hop through a Barracuda outbound gateway passed SPF for the envelope-from at that point. By the time the message reached the Microsoft 365 front end, the originating IP 139.138.34.191 produced an SPF softfail. ARC chain verification failed at hop two. The net result: compauth=none reason=451, a non-delivery-authorizing compound authentication verdict that left the decision to gateway configuration rather than policy enforcement.
Gateway-level spam scoring assigned the message a Barracuda score of 1.80 against a kill threshold of 5.0. The message cleared the numerical bar while carrying a clearly mismatched link chain. Perimeter defense passed it. Behavioral analysis did not.
The single clickable CTA in the email was an "Open document" button pointing to hxxps://www[.]holabrief[.]com/exercise/c43dfcf5-46ac-463c-9597-0960bdeee9e9/a7fb05bb-987a-4c64-a43e-c9f81f93ae1e.
HolaBrief is a real creative-brief collaboration platform. The attacker exploited a feature that allows external URLs to be embedded in exercise or project objects. The HTML source of the email also contained a saferedirecturl attribute pointing to hxxps://loopedin[.]io, a second legitimate project-management SaaS product, as a fallback redirect path.
The point is not that either SaaS product was malicious or attacker-owned. They were abused as transit infrastructure. A URL scanner following the first hop sees holabrief.com, a registered business with a real product, and scores the link clean. The actual destination, an unaffiliated external site with no relationship to the claimed healthcare sender, only appears after the chain completes. The automated verdict on this link was "Clean" precisely because URL scoring evaluated the intermediate domain, not the final destination.
See Your Risk: Calculate how many threats your SEG is missing
There was no document anywhere in the message. No PDF. No attachment of any kind. The body claimed "DOC - 19017.pdf" existed and was ready to open, but the file was fictional. The claim served only to give the button a plausible reason to exist.
Domain age contributes to sender reputation scoring. A domain registered in 1995 has decades of sending history, MX records, and often a place in enterprise allow-lists built up through years of legitimate correspondence. Spoofing such a domain is more valuable than registering a fresh lookalike because the borrowed reputation extends to every IP reputation database that has ever seen mail from that organization.
The attacker's approach here was to forge the display name and email address of an unverified sender at the healthcare organization. A public-person search for the named sender returned no authoritative match connecting that name to the organization. The sender is either fabricated entirely or belongs to a non-public user whose name was obtained through a prior data exposure. Either way, the display name should not have been treated as a verified identity.
Email spoofing of established organizational domains works because many gateways apply a graduated trust curve to aged domains. Attackers have mapped this dynamic and specifically seek out large, long-lived organizational domains as spoofing targets.
IRONSCALES Adaptive AI flagged this message at 82% confidence under the label "Invoice Phishing." The classification was not driven by authentication failure alone; broken DKIM is a noisy signal that can result from legitimate forwarding configurations. The behavioral layer identified the combination:
The sending account had no prior contact history with any of the four recipient mailboxes in the affected organization. A first-contact message from an external healthcare sender, with an invoice-themed subject and an "Open document" button pointing outside any recognized document-sharing platform, does not match a normal healthcare billing workflow.
Credential harvesting via redirect chains specifically targets organizations that rely on URL allow-listing or single-layer reputation scoring, because those defenses evaluate the first hop and stop. Multi-stage redirect chains exploit that single-evaluation assumption.
When a redirect chain appears in an email lure, the relevant question is not whether the first-hop domain is legitimate but whether the final destination is consistent with the claimed sender's identity and the stated purpose of the email. A healthcare organization sharing an invoice document would not route the recipient through a creative-brief SaaS platform.
The Verizon DBIR 2026 identifies phishing as the initial access vector in the majority of social engineering breaches. The MITRE ATT&CK framework classifies spearphishing links as T1566.002; open-redirect exploitation is a sub-technique that puts legitimate service hostnames in the visible link path. CISA advises that any message requesting document access through an unexpected external link warrants out-of-band verification before clicking.
The authentication failure on this message, specifically the DKIM verification break and the subsequent DMARC quarantine action, was the clearest single signal available at the gateway. Environments that enforce DMARC quarantine without exception would have isolated this message before it reached a mailbox. Environments that override quarantine based on gateway allow-lists absorbed the risk instead.
---
| Type | Indicator | Context |
|---|---|---|
| URL | hxxps://www[.]holabrief[.]com/exercise/c43dfcf5-46ac-463c-9597-0960bdeee9e9/a7fb05bb-987a-4c64-a43e-c9f81f93ae1e | Primary CTA link; legitimate SaaS abused as redirect stage |
| Domain | holabrief[.]com | Legitimate project-collaboration SaaS used as first redirect hop |
| Domain | loopedin[.]io | Legitimate SaaS referenced via saferedirecturl attribute as fallback redirect hop |
| IP | 139.138.34.191 | Originating IP; SPF softfail at final Microsoft 365 hop |
| Auth Result | dkim=fail; dmarc=fail action=quarantine | Final authentication verdict on the spoofed healthcare sender domain |
| Attack | What happened |
|---|---|
| Sign Here, Get Phished: Inside an Adobe Sign Lure With a Multi-Hop Redirect to Credential Theft | An Adobe Sign e-signature lure routed recipients through a multi-hop redirect chain ending at fameklinik[.]com. |
| DocuSign Plus Invoice: A 12-Day-Old Domain and an esvalabs Redirect Chain That Scanners Missed | A phishing campaign combined DocuSign branding with an invoice thread pretext, sent from a 12-day-old privacy-protected domain via Amazon SES. |
| When the Phishing Kit Ships Early: Exposed Template Variables Reveal Attack Infrastructure | A premature phishing kit deployment exposed raw template variables in the subject line and a placeholder URL. |
| Funding Agreement, Forged Approval: How a Three-Layer Redirect Chain Targeted Finance Leadership | A phishing campaign impersonating a document-signing platform targeted a VP of Finance with a forged funding agreement. |
| Hungarian Bank, Nepali Domain, Broken Encoding: How a K&H Bank Phishing Kit Exposed Itself | A K&H Bank impersonation campaign sent from a Nepali domain used DKIM signing and hotlinked the real bank's favicon. |