TL;DR Attackers impersonated the CEO of an ed-tech company to redirect payment confirmation to an external contact. The forwarded thread was fabricated: the confirmation domain had been registered weeks after the claimed thread date. Both attacker domains were created the same day through the same registrar. No SEG caught the mismatch. IRONSCALES Phishing SOC Agent analysis flagged the temporal contradiction alongside display name impersonation and DMARC failure.
Severity: High Business Email Compromise Invoice Fraud Payment Diversion Vip Impersonation MITRE: {'id': 'T1656', 'name': 'Impersonation'} MITRE: {'id': 'T1534', 'name': 'Internal Spearphishing'} MITRE: {'id': 'T1566', 'name': 'Phishing'}
The email arrived in the accounting team's inbox looking like a routine escalation from leadership: a forwarded thread, a politely worded note from the company's CEO, a request to send payment confirmation to an external contact. Nothing about the message surface was alarming. It referenced an outstanding invoice, a familiar vendor name in the subject line, and a plausible urgency appeal. The kind of email that gets acted on before anyone thinks to question it.
The thread was entirely fabricated. The payment-confirmation domain it directed accounting toward did not exist on the date the forwarded message claimed to have been sent. A WHOIS lookup made that fact irrefutable.
A Forwarded Thread as Cover Story
The message arrived with a subject line that invoked the CEO's name directly: a forwarded invoice requiring immediate attention. The outer layer was brief, signed with the CEO's name, and asked accounting to send payment confirmation to "Nathan Smith" at an external address. Below it, a forwarded thread set the scene: a message purportedly sent weeks earlier from Nathan Smith to the CEO, describing an invoice that had gone unpaid for more than 60 days and warning that additional charges had been accruing.
The structure is a well-documented Business Email Compromise technique: embed the fraudulent request inside an apparent paper trail. The forwarded history makes the instruction look like a continuation of a conversation the CEO has already approved, not a new and unverified demand. Accounting teams are conditioned to execute on escalations from leadership. The forwarded thread is designed to feel like authorization has already been granted.
The FBI IC3 2024 report identifies BEC as one of the most financially damaging cybercrime categories tracked, with losses exceeding $2.7 billion in reported incidents. The human element is involved in 62% of breaches, per the Verizon 2026 DBIR, precisely because these attacks are built to read like routine business.
The Contradiction Hidden in the Header
The actual sender was not the CEO. The From field displayed the CEO's full name but resolved to an address at an unrelated New Zealand domain, sbltd[.]co[.]nz. That domain has no relationship to the ed-tech company. The message was routed through a commercial email delivery service (SendGrid), which handled the relay at IP 168.245.37.226.
Authentication told a clear story of failure. SPF failed: the sending IP was not an authorized sender for the From domain. DKIM produced a permerror because no valid key existed for the claimed selector. DMARC was set to p=none on the sending domain, meaning it collected failure telemetry but took no enforcement action. The email passed into the inbox despite all three authentication signals pointing to a mismatch.
No attachment. No clickable link. Just a Reply-To header quietly redirecting any response to two external addresses: one at novus-worldwide[.]org (the payment-confirmation contact), and a secondary at executive-foxmails[.]org (a shadow reply address in the CEO's name).
See Your Risk: Calculate how many threats your SEG is missing
The WHOIS Timestamp That Proved the Thread Was Fabricated
The forwarded thread contained an internal date stamp: it claimed to have been sent on a Monday morning in late September. That timestamp was part of the fabrication. The payment-confirmation domain, novus-worldwide[.]org, was registered more than two months after the date the forwarded message claimed to have originated.
WHOIS records for novus-worldwide[.]org show a creation date more than two months after the date stamped in the forwarded message. The claimed thread date predates that registration by over 60 days. A domain cannot receive email, host a contact, or be referenced in a legitimate business communication before it exists. The forwarded thread was either written after the domain was registered and backdated, or constructed entirely as a prop.
The secondary Reply-To domain, executive-foxmails[.]org, was registered the same day, through the same registrar (Internet Domain Service BS Corp), and resolved to the same Icelandic nameservers (dns1.icedns[.]is, dns2.icedns[.]is). The two registrations were completed within approximately 96 minutes of each other. This is coordinated infrastructure, not opportunistic reuse.
Both domains used Titan Email for mail routing, with no public website presence and no DMARC enforcement. Full privacy protection stripped all registrant data. The operational pattern -- same registrar, same nameserver cluster, same-day registration -- is consistent with a purpose-built attack kit deployed for a single campaign.
How IRONSCALES Caught It
IRONSCALES Phishing SOC Agent analysis flagged the attack on several independent signals before any accounting employee could respond. Display name impersonation was detected immediately: IRONSCALES knew the CEO's identity from the organization's domain and recognized that the email originated from an unrelated sender. That mismatch triggered a VIP impersonation alert (MITRE T1656).
The temporal contradiction between the forwarded thread's claimed date and the confirmation domain's WHOIS creation date provided hard forensic confirmation. Community intelligence drawn from similar incidents across IRONSCALES-protected organizations reinforced the classification. The combination of signals produced a phishing verdict with high confidence despite the absence of any malicious link or attachment -- a scenario many signature-based and link-scanning tools are not designed to evaluate.
This class of attack is invisible to tools that look for bad URLs. When the only ask is "reply to this address," there is nothing to sandbox, nothing to dereference, nothing to scan. The threat lives entirely in the social engineering layer, which is exactly where Adaptive AI and behavioral analysis produce signal that conventional filters cannot.
What Defenders Should Watch For
Payment-diversion BEC with fabricated threads is a high-yield, low-infrastructure attack pattern. The attacker needs only two newly registered domains, a SendGrid account, and a publicly known executive name. The entire operation is designed to resolve before anyone checks WHOIS.
Defenders should treat any payment instruction that introduces a new external contact as requiring out-of-band verification -- phone only, using a number already on file, never the one provided in the message. Finance teams should be explicitly trained to recognize that forwarded threads can be constructed wholesale, and that a message appearing to have prior history does not mean that history is real.
At the authentication layer, DMARC enforcement (p=quarantine or p=reject) on the sending domain would have quarantined this message before delivery. The ed-tech sector, like many others, still has significant DMARC enforcement gaps. The CISA phishing guidance consistently lists unenforced email authentication as an avoidable risk.
IRONSCALES BEC Protection catches what authentication gaps leave exposed: behavioral signals, identity context, and the kind of cross-domain temporal reasoning that revealed this fabricated thread before any payment was redirected.
---
Indicators of Compromise
| Indicator | Type | Notes |
|---|
| novus-worldwide[.]org | Domain | Payment-confirmation domain; registered after the claimed thread date |
| nathan[.]smith@novus-worldwide[.]org | Email | Attacker payment-confirmation contact (defanged) |
| executive-foxmails[.]org | Domain | Shadow reply domain for CEO impersonation |
| admin@executive-foxmails[.]org | Email | Secondary Reply-To address (defanged) |
| info@sbltd[.]co[.]nz | Email | Sending address used for CEO display name impersonation (defanged) |
| 168.245.37.226 | IP | SendGrid relay IP used to deliver the message |
| dns1.icedns[.]is / dns2.icedns[.]is | Nameservers | Shared nameservers across both attacker domains |
---
MITRE ATT&CK Techniques
| Technique ID | Name | Application |
|---|
| T1656 | Impersonation | CEO display name impersonation via unrelated sending domain |
| T1534 | Internal Spearphishing | Targeted accounting team with executive-authority social engineering |
| T1566 | Phishing | Fabricated forwarded thread as the social engineering vehicle |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
