Legit Ticket, Lethal Link: A Real Telecharge Newsletter Hid a PII Harvester on Cloudflare Pages

One Poisoned Link Among 30

A public school district employee received a Telecharge newsletter on April 14, 2026. The subject line promoted Broadway shows. The email carried full SPF, DKIM, and DMARC authentication with a p=REJECT enforcement policy. The sender domain reply.telecharge.com was legitimate. The mailing infrastructure matched Telecharge's known ESP. Twenty-nine links inside the email pointed to real destinations: telecharge.com show pages, YouTube trailers, GQ profiles, Variety podcast links.

One link did not.

Embedded as a banner image, a single URL directed to first-looks[.]pages[.]dev/huzzah, a Cloudflare Pages subdomain hosting a live form that harvested email addresses, first and last names, zip codes, and phone numbers. No corporate branding. No verifiable owner. No privacy policy. Just a clean, HTTPS-secured form on a reputable cloud platform, tucked inside an email that every authentication check on the planet would pass.

This is the anatomy of trusted-sender abuse: when the email is real, the sender is real, and the infrastructure is real, but a single poisoned link turns a legitimate newsletter into a phishing delivery vehicle.

Why Authentication Alone Could Not Stop This

The email's authentication headers tell a story of perfect compliance. DKIM passed with a valid signature from reply.telecharge.com. SPF passed for the envelope sender at lists.n-email4.net, confirming the originating IP 141[.]193[.]209[.]79 was authorized. DMARC passed with a p=REJECT policy, the strictest enforcement level available.

These results are not spoofed. The email genuinely originated from Telecharge's mailing infrastructure, relayed through dv9-79.n-email[.]net. ARC headers were intact. The Return-Path used a standard bounce address format consistent with the Delivra ESP platform. By every measure of sender authentication, this message was legitimate.

And that is precisely the problem. SPF validates the sending server. DKIM validates message integrity. DMARC ties them together. None of these protocols inspect what a link inside the email body actually does when someone clicks it. The Microsoft Digital Defense Report 2024 documented the growing trend of attackers leveraging trusted sender infrastructure to bypass authentication-dependent filters. This attack is a textbook example.

According to CISA's phishing guidance, email authentication is a necessary but insufficient layer of defense. When the sending domain is not spoofed but genuinely compromised or weaponized at the content level, authentication provides a false sense of security.

The Cloudflare Pages Payload

The malicious URL used Cloudflare Pages (pages.dev), a free static site hosting service that provides instant deployment, valid TLS certificates, and the halo effect of Cloudflare's domain reputation. The subdomain first-looks was registered with privacy-protected WHOIS, standard for the platform but exploited here to prevent attribution.

The landing page at /huzzah presented a form requesting four PII fields: email address, first name, last name, zip code, and phone number. No login credentials. No password fields. This was not a credential harvesting page in the traditional sense. It was a PII collection operation designed to feed downstream attack chains.

Harvested PII at this level of detail enables highly targeted spearphishing. An attacker who knows a target's full name, email, phone number, and geographic location can craft follow-up attacks referencing local institutions, nearby businesses, or regional events. The FBI IC3 2024 Annual Report highlighted PII harvesting as a precursor to business email compromise, with losses exceeding $2.9 billion in 2024 alone. The Verizon DBIR 2024 confirmed that stolen PII is the most common data type in social engineering breaches.

The use of pages.dev is deliberate. The IBM Cost of a Data Breach Report 2024 noted that cloud-hosted phishing infrastructure reduces attacker overhead to near zero while inheriting the platform's reputation score. Many legacy email security tools whitelist or deprioritize scanning for links hosted on major cloud platforms, treating pages.dev, *.azurewebsites.net, and *.netlify.app as low-risk by default. Attackers know this.

The MITRE ATT&CK framework maps this infrastructure choice to T1583.006: Acquire Infrastructure, Web Services, where adversaries establish resources on legitimate platforms to stage operations. The link delivery itself maps to T1566.002: Phishing, Spearphishing Link and the PII collection goal aligns with T1598.003: Phishing for Information.

The Needle-in-a-Haystack Problem

What makes this attack especially dangerous is the signal-to-noise ratio. The email contained over 30 links. All but one were clean. The newsletter layout, branding, and editorial content were consistent with legitimate Telecharge communications. Links pointed to real Broadway show pages, real YouTube videos, real Audience Rewards promotions.

A human reviewing this email would need to inspect every single link to find the malicious one. A legacy SEG scanning for known-bad domains or obvious phishing indicators would pass it. The sender reputation was clean. The domain was authenticated. The body contained no urgent language, no credential prompts, no suspicious attachments.

IRONSCALES Themis flagged this message because the detection model does not stop at authentication. It evaluates every link destination, scoring ephemeral cloud-hosted subdomains against behavioral patterns. The first-looks[.]pages[.]dev subdomain triggered on multiple signals: new subdomain with no prior sending history, privacy-shielded registration, a live form requesting PII with no corporate verification, and the mismatch between a Broadway newsletter's expected link profile and a generic cloud-hosted landing page. Community threat intelligence from 35,000+ security professionals corroborated the verdict with high confidence.

See Your Risk: Calculate how many threats your SEG is missing

Defanged IOC Table

What This Means for Your Inbox

If your email security strategy ends at authentication, this attack will land. SPF, DKIM, and DMARC are table stakes. They verify the envelope. They do not verify intent.

Security teams protecting organizations (especially in education, where newsletter subscriptions are common and staff are accustomed to promotional emails) need to layer real-time link analysis on top of authentication. That means following every URL to its final destination at click time, evaluating landing page behavior (form fields, registration data, domain age), and correlating link reputation against the sender's expected link profile.

The pattern here will repeat. Legitimate newsletters offer attackers a high-trust, high-volume delivery mechanism with built-in camouflage. The single malicious link hides among dozens of real ones. Detection depends on inspecting every link, every time, not just the ones that look suspicious.