The email arrived in the accounting team's inbox looking like a routine escalation from leadership: a forwarded thread, a politely worded note from the company's CEO, a request to send payment confirmation to an external contact. Nothing about the message surface was alarming. It referenced an outstanding invoice, a familiar vendor name in the subject line, and a plausible urgency appeal. The kind of email that gets acted on before anyone thinks to question it.
The thread was entirely fabricated. The payment-confirmation domain it directed accounting toward did not exist on the date the forwarded message claimed to have been sent. A WHOIS lookup made that fact irrefutable.
The message arrived with a subject line that invoked the CEO's name directly: a forwarded invoice requiring immediate attention. The outer layer was brief, signed with the CEO's name, and asked accounting to send payment confirmation to "Nathan Smith" at an external address. Below it, a forwarded thread set the scene: a message purportedly sent weeks earlier from Nathan Smith to the CEO, describing an invoice that had gone unpaid for more than 60 days and warning that additional charges had been accruing.
The structure is a well-documented Business Email Compromise technique: embed the fraudulent request inside an apparent paper trail. The forwarded history makes the instruction look like a continuation of a conversation the CEO has already approved, not a new and unverified demand. Accounting teams are conditioned to execute on escalations from leadership. The forwarded thread is designed to feel like authorization has already been granted.
The FBI IC3 2024 report identifies BEC as one of the most financially damaging cybercrime categories tracked, with losses exceeding $2.7 billion in reported incidents. The human element is involved in 62% of breaches, per the Verizon 2026 DBIR, precisely because these attacks are built to read like routine business.
The actual sender was not the CEO. The From field displayed the CEO's full name but resolved to an address at an unrelated New Zealand domain, sbltd[.]co[.]nz. That domain has no relationship to the ed-tech company. The message was routed through a commercial email delivery service (SendGrid), which handled the relay at IP 168.245.37.226.
Authentication told a clear story of failure. SPF failed: the sending IP was not an authorized sender for the From domain. DKIM produced a permerror because no valid key existed for the claimed selector. DMARC was set to p=none on the sending domain, meaning it collected failure telemetry but took no enforcement action. The email passed into the inbox despite all three authentication signals pointing to a mismatch.
No attachment. No clickable link. Just a Reply-To header quietly redirecting any response to two external addresses: one at novus-worldwide[.]org (the payment-confirmation contact), and a secondary at executive-foxmails[.]org (a shadow reply address in the CEO's name).
See Your Risk: Calculate how many threats your SEG is missing
The forwarded thread contained an internal date stamp: it claimed to have been sent on a Monday morning in late September. That timestamp was part of the fabrication. The payment-confirmation domain, novus-worldwide[.]org, was registered more than two months after the date the forwarded message claimed to have originated.
WHOIS records for novus-worldwide[.]org show a creation date more than two months after the date stamped in the forwarded message. The claimed thread date predates that registration by over 60 days. A domain cannot receive email, host a contact, or be referenced in a legitimate business communication before it exists. The forwarded thread was either written after the domain was registered and backdated, or constructed entirely as a prop.
The secondary Reply-To domain, executive-foxmails[.]org, was registered the same day, through the same registrar (Internet Domain Service BS Corp), and resolved to the same Icelandic nameservers (dns1.icedns[.]is, dns2.icedns[.]is). The two registrations were completed within approximately 96 minutes of each other. This is coordinated infrastructure, not opportunistic reuse.
Both domains used Titan Email for mail routing, with no public website presence and no DMARC enforcement. Full privacy protection stripped all registrant data. The operational pattern -- same registrar, same nameserver cluster, same-day registration -- is consistent with a purpose-built attack kit deployed for a single campaign.
IRONSCALES Phishing SOC Agent analysis flagged the attack on several independent signals before any accounting employee could respond. Display name impersonation was detected immediately: IRONSCALES knew the CEO's identity from the organization's domain and recognized that the email originated from an unrelated sender. That mismatch triggered a VIP impersonation alert (MITRE T1656).
The temporal contradiction between the forwarded thread's claimed date and the confirmation domain's WHOIS creation date provided hard forensic confirmation. Community intelligence drawn from similar incidents across IRONSCALES-protected organizations reinforced the classification. The combination of signals produced a phishing verdict with high confidence despite the absence of any malicious link or attachment -- a scenario many signature-based and link-scanning tools are not designed to evaluate.
This class of attack is invisible to tools that look for bad URLs. When the only ask is "reply to this address," there is nothing to sandbox, nothing to dereference, nothing to scan. The threat lives entirely in the social engineering layer, which is exactly where Adaptive AI and behavioral analysis produce signal that conventional filters cannot.
Payment-diversion BEC with fabricated threads is a high-yield, low-infrastructure attack pattern. The attacker needs only two newly registered domains, a SendGrid account, and a publicly known executive name. The entire operation is designed to resolve before anyone checks WHOIS.
Defenders should treat any payment instruction that introduces a new external contact as requiring out-of-band verification -- phone only, using a number already on file, never the one provided in the message. Finance teams should be explicitly trained to recognize that forwarded threads can be constructed wholesale, and that a message appearing to have prior history does not mean that history is real.
At the authentication layer, DMARC enforcement (p=quarantine or p=reject) on the sending domain would have quarantined this message before delivery. The ed-tech sector, like many others, still has significant DMARC enforcement gaps. The CISA phishing guidance consistently lists unenforced email authentication as an avoidable risk.
IRONSCALES BEC Protection catches what authentication gaps leave exposed: behavioral signals, identity context, and the kind of cross-domain temporal reasoning that revealed this fabricated thread before any payment was redirected.
---
| Indicator | Type | Notes |
|---|---|---|
| novus-worldwide[.]org | Domain | Payment-confirmation domain; registered after the claimed thread date |
| nathan[.]smith@novus-worldwide[.]org | Attacker payment-confirmation contact (defanged) | |
| executive-foxmails[.]org | Domain | Shadow reply domain for CEO impersonation |
| admin@executive-foxmails[.]org | Secondary Reply-To address (defanged) | |
| info@sbltd[.]co[.]nz | Sending address used for CEO display name impersonation (defanged) | |
| 168.245.37.226 | IP | SendGrid relay IP used to deliver the message |
| dns1.icedns[.]is / dns2.icedns[.]is | Nameservers | Shared nameservers across both attacker domains |
---
| Technique ID | Name | Application |
|---|---|---|
| T1656 | Impersonation | CEO display name impersonation via unrelated sending domain |
| T1534 | Internal Spearphishing | Targeted accounting team with executive-authority social engineering |
| T1566 | Phishing | Fabricated forwarded thread as the social engineering vehicle |
| Attack | What happened |
|---|---|
| A PDF Invoice Contained Bank Details for a Money-Mule Account | An invoice email delivered through SendGrid attached a PDF with bank routing details pointing to a money-mule account. |
| The $47,320 Invoice That Came With a W-9 and a Personal Bank Account | A payment diversion attack bundled a $47,320 invoice with ACH/wire remittance instructions pointing to a personal bank account. |
| The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion | A Gmail-authenticated BEC used a typosquat Reply-To domain and a hidden HTML mailto mismatch to impersonate a steel distributor's credit manager. |
| The PayPal Invoice That Passed Every Check Because PayPal Actually Sent It | A canceled PayPal invoice for $50 arrived with perfect SPF, DKIM, and DMARC authentication because PayPal's own infrastructure sent it. |
| SPF PermError Turned a Malformed Domain into an Invoice Fraud Launchpad | An attacker exploited a malformed SPF record that returned PermError instead of pass or fail, paired with a same-day-registered Reply-To domain. |