The CEO Salary Diversion That Targeted the Company Built to Stop It

The email arrived at 7:51 PM on a Wednesday evening, addressed to the HR inbox of an email security company. The subject line was polite, the request routine: "Request to Update Bank Details for Salary Payment." The sender's display name matched the CEO exactly. Not a close approximation. Not a variation. An exact, character-for-character match.

"Good afternoon," it began. "I have recently changed banks and need to update my salary payment details. Please advise when I may submit my new bank information to ensure it is processed before the next payroll run."

Signed with the CEO's full name. No title, no phone number, no corporate signature block. Just a name and a request that, if fulfilled, would have rerouted the chief executive's salary to a bank account controlled by a stranger.

The Perfect Authentication Paradox

Here is the part that should unsettle every security team relying on email authentication as a primary defense: this email passed SPF. It passed DKIM. It achieved a DMARC bestguesspass. Every protocol designed to verify sender legitimacy gave this message a green light.

How? Because the attacker did the homework.

The From address pointed to contact@mycomparateur[.]fr, a French domain originally registered in 2015 as a shopping comparison site. WHOIS records show the domain's expiration date was March 10, 2026, three weeks before this email was sent on April 1. The attacker either hijacked a lapsed domain or exploited a registration gap. Either way, they configured it properly: SPF records authorized Mailjet as a permitted sender, and DKIM signatures were valid for the domain.

That is the uncomfortable truth about modern business email compromise. Authentication protocols verify that a domain authorized its sending infrastructure. They do not verify that the person claiming to send the email is who they say they are. The FBI IC3 2024 Internet Crime Report documents $2.9 billion in BEC losses precisely because of this gap. Attackers are not breaking authentication. They are building their own authenticated infrastructure from scratch.

A Domain Built for One Purpose

The Reply-To header told the real story. While the From address used the hijacked French domain, replies would have gone to mail@exceeo[.]com, a domain registered on February 17, 2026 through Dynadot. That is 43 days before the attack. Purpose-built, disposable, designed for exactly one thing: catching the HR team's response.

This is textbook phishing infrastructure mapped to MITRE ATT&CK T1566 (Phishing) and T1534 (Internal Spearphishing, by effect). The attacker created a two-domain architecture: one domain to send the email through a legitimate ESP with proper authentication, and a separate domain to receive the reply. The separation serves a purpose. If the sending domain gets flagged or burned, the reply channel stays clean.

The choice of Mailjet was deliberate. Mailjet is a legitimate email service provider used by thousands of businesses. Messages routed through their infrastructure carry the reputation of a trusted sender network, complete with click-tracking redirects and a 1x1 tracking pixel to confirm whether the target opened the message. According to the Verizon 2024 Data Breach Investigations Report, social engineering remains the primary attack vector in breaches, and ESP abuse is a growing enabler.

What the Email Didn't Have

The social engineering was competent but not perfect. A few things were missing, and those absences mattered.

No corporate email signature. No internal phone extension. No mention of the company's HR portal or payroll system. No reference to a previous conversation or a ticket number. For someone claiming to be the CEO of the organization, the email read more like a first contact than a routine internal request.

The body also contained Mailjet tracking infrastructure: click-tracking redirect links hosted on xrv3t[.]mjt[.]lu and a 1x1 tracking pixel. Legitimate internal email from a CEO does not route through a third-party ESP's tracking system.

These are behavioral signals that authentication cannot evaluate. SPF confirms the sending server was authorized. DKIM confirms the message was not altered in transit. Neither protocol has any opinion about whether the email makes sense.

See Your Risk: Calculate how many threats your SEG is missing

Seven Seconds

Themis, the IRONSCALES Adaptive AI, flagged the email at 90% confidence before the HR team could act on it. Three classification labels fired simultaneously: VIP Impersonation, Business Email Compromise, and Fraudulent Request.

The detection was not based on authentication failure, because there was none. It was based on behavioral pattern matching. Themis recognized that the display name "Eyal Benishti" matched a known VIP in the organization's directory but the sending address, contact@mycomparateur[.]fr, was external. The Reply-To pointed to yet another external domain. The message lacked any of the structural signatures (email footer, direct line, internal references) associated with legitimate executive communication. The IRONSCALES community of 35,000+ security professionals had already resolved similar VIP impersonation patterns as phishing, adding community-level confidence to the classification.

Four mailboxes were quarantined within seconds. The email never reached a human decision-maker.

The Irony Writes Itself

An attacker impersonated the CEO of a company that builds AI to catch exactly this kind of attack. They targeted the HR department at an organization whose entire product exists because payroll diversion phishing works.

The IBM 2024 Cost of a Data Breach Report puts the average cost of a BEC incident at $4.88 million. The Microsoft Digital Defense Report 2024 notes that BEC attempts have increased in sophistication, with attackers increasingly leveraging legitimate cloud services and ESPs to bypass traditional filters. This attack fits that pattern exactly.

And yet the outcome here was different. Not because the email was poorly crafted (it was plausible) or because authentication failed (it passed). The outcome was different because behavioral analysis asked a question that SPF and DKIM cannot: does this email make sense given everything we know about how this person communicates?

The answer was no. And four inboxes were clean before anyone had to make that call.

Indicators of Compromise

What This Means for Your Payroll Process

CISA's phishing guidance emphasizes verifying requests through independent channels before taking action on sensitive financial changes. This case reinforces why that matters: the email looked right, authenticated correctly, and used a plausible pretext. The only thing that stopped it was AI that understood behavior, not just headers.

If your BEC protection strategy begins and ends with DMARC enforcement, this attack would have landed in your HR team's inbox with a green checkmark. Payroll diversion does not require malware, does not require a link click, and does not require an attachment. It requires one employee to believe the CEO changed banks.

That is the simplest and most expensive attack in email security. And it will keep working everywhere behavioral analysis is not watching.