TL;DR Attackers abused SpotHopper, a legitimate restaurant booking SaaS platform, to send a fabricated catering inquiry confirmation that passed full email authentication (SPF, DKIM, DMARC). The email contained no malicious links or attachments. Instead, a 1x1 tracking pixel fired on open, silently validating the recipient's inbox as active. This recon-first approach lets attackers build verified target lists before launching credential harvesting or BEC follow-ups. IRONSCALES flagged the message based on behavioral anomalies and community threat intelligence despite perfect authentication.
Severity: Medium Brand Impersonation Recon And Probing MITRE: T1598 MITRE: T1566.001 MITRE: T1585.001
A Catering Confirmation Nobody Ordered
The email looked like a routine business notification. A regional smokehouse restaurant confirmed a catering request for 60 guests at a corporate office. SpotHopper branding, professional layout, a smiley-face icon, event details neatly formatted in a table. The kind of automated message that lands in corporate inboxes a hundred times a week.
SPF passed. DKIM passed (twice, with valid signatures from both Mandrill and the booking platform). DMARC passed. Microsoft's composite authentication returned a clean result. Every technical gate said this email was legitimate.
It was legitimate. That's the problem.
The message contained zero malicious links. No credential harvesting form. No weaponized attachment. The only links pointed to Microsoft support pages explaining sender identification. But buried at the bottom of the HTML, invisible to the recipient, sat a 1x1 pixel image tag pointing to mail-mandrill.spothopperapp.com/track/open.php. The moment the email rendered in the preview pane, that pixel fired. The attacker now knew the inbox was live, monitored, and ready for phase two.
How a Booking Platform Becomes Phishing Infrastructure
SpotHopper is a legitimate SaaS platform used by thousands of restaurants for online ordering, marketing, and event booking. The platform sends transactional emails through Mandrill (Mailchimp's transactional email API), which means every message inherits enterprise-grade email authentication. An attacker who creates a merchant account on SpotHopper (or compromises an existing one) gets all of that for free.
Here's how this attack chain works:
Step 1: Platform Account Setup. The attacker registers (or compromises) a restaurant merchant account on SpotHopper. This gives them access to the platform's catering inquiry system, which automatically generates confirmation emails to any address submitted through the form. (MITRE ATT&CK T1585.001: Establish Accounts)
Step 2: Target Submission. The attacker submits a fake catering inquiry through the restaurant's booking form, entering the target's email address as the "customer." SpotHopper's system generates an automated confirmation and sends it to the target. (MITRE ATT&CK T1598: Phishing for Information)
Step 3: Authenticated Delivery. The email travels through Mandrill's infrastructure (IP 198.2.177.16, resolving to mail177-16.suw61.mandrillapp.com). SPF validates against mail-mandrill.spothopperapp.com. Dual DKIM signatures validate for both mandrillapp.com and booking.spothopperapp.com. DMARC passes with header.from=booking.spothopperapp.com. The message arrives with a clean bill of health.
Step 4: Silent Reconnaissance. An HTTP tracking pixel (mail-mandrill.spothopperapp.com/track/open.php) fires when the email is opened. This confirms the email address is active, the inbox is monitored, and the recipient's mail client renders external images. No click required. (MITRE ATT&CK T1566.001: Spearphishing Attachment/Link)
Step 5: Targeted Follow-up. Armed with a verified active address, the attacker launches the real payload: a targeted credential harvesting email, a BEC wire transfer request, or a callback phishing lure. Only confirmed-live inboxes receive the second stage, dramatically improving the attacker's conversion rate.
This is reconnaissance phishing. The first email is not the attack. It's the target validation.
See Your Risk: Calculate how many threats your SEG is missing
Why Every Scanner Said "Clean" (and Was Technically Correct)
The email body is a pixel-perfect replica of SpotHopper's actual catering confirmation template because it is the actual template. The attacker didn't forge anything. They used the platform as intended, just for unintended purposes.
This creates a detection paradox. Legacy SEGs rely heavily on three signals: sender authentication, URL reputation, and attachment scanning. This email passes all three cleanly:
- Authentication: SPF, DKIM, DMARC all pass. The sending infrastructure is Mandrill, one of the most widely trusted transactional email services on the internet.
- URLs: The only clickable links point to
support.microsoft.com and aka.ms, both Microsoft safety pages. Clean verdicts across the board.
- Attachments: None.
The Microsoft Digital Defense Report 2024 documents the growing trend of attackers leveraging legitimate services to bypass authentication-based defenses. The Verizon DBIR 2024 confirms that phishing remains the primary initial access vector, with increasingly sophisticated evasion techniques.
What tripped the detection here was behavioral, not technical. IRONSCALES community threat intelligence flagged the message based on cross-organization reporting patterns. The platform's adaptive AI identified the anomaly: a first-time sender, from a restaurant booking platform, to a corporate mailbox at a healthcare services company, with no prior business relationship. Authentication was perfect. Context was wrong.
The Sender Address Tells the Story
Look at the From address: inquiry.request-legacysmokehouse.com-86982-11850537-2353@booking.spothopperapp.com. That local part (everything before the @) packs the merchant domain, a merchant ID, and what appear to be internal tracking identifiers into a single string. This is standard behavior for platforms that send on behalf of merchants, but it also means the "from" identity is programmatically generated and trivially repeatable across targets.
The X-Mandrill-User header (md_30361966) identifies the Mandrill sub-account. The Feedback-ID ties back to the same account and send date. These are forensic breadcrumbs that help incident responders trace the campaign back to a specific platform account, but they're invisible to the recipient and to most automated scanners.
What Practitioners Should Look For
Tracking-pixel reconnaissance is a pre-attack signal. Catching it early means disrupting the campaign before the real payload arrives.
- Audit image-loading policies. Disable automatic external image loading in Outlook and Gmail for high-value mailboxes. This neutralizes open-tracking pixels entirely.
- Flag first-time senders from transactional platforms. Emails from
booking.spothopperapp.com, notifications@squarespace.com, or similar SaaS senders should trigger additional scrutiny when the recipient has no history with that platform.
- Correlate across mailboxes. A single catering confirmation is noise. The same template hitting five unrelated employees at the same organization in the same week is a campaign. Cross-mailbox correlation (a core capability of the IRONSCALES platform) turns individual anomalies into actionable intelligence.
- Monitor for two-stage patterns. When a benign-looking first email from a new sender is followed days later by a credential request or payment lure, the two messages are likely part of the same operation.
The FBI IC3 2024 report documents $2.9 billion in BEC losses, many of which begin with exactly this kind of low-and-slow reconnaissance. CISA's phishing guidance emphasizes that organizations should not rely solely on email authentication to determine message legitimacy.
The email that should worry you most is not the one with the malicious link. It's the one that simply confirms you exist.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Domain | booking[.]spothopperapp[.]com | Sending domain (legitimate SaaS platform abused for recon) |
| Domain | mail-mandrill[.]spothopperapp[.]com | Tracking pixel and SPF envelope domain |
| URL | hxxp://mail-mandrill[.]spothopperapp[.]com/track/open[.]php?u=30361966&id=4bc263e51c9b492a95ae1108476bdec2 | 1x1 tracking pixel (open-on-render reconnaissance) |
| IP | 198[.]2[.]177[.]16 | Mandrill sending IP (mail177-16.suw61.mandrillapp.com) |
| Email | inquiry[.]request-legacysmokehouse[.]com-86982-11850537-2353@booking[.]spothopperapp[.]com | From address (programmatically generated) |
| Domain | static[.]spotapps[.]co | Image asset hosting for SpotHopper templates |
| Domain | spothopper-static[.]s3[.]amazonaws[.]com | Secondary image asset hosting |
| Header | X-Mandrill-User: md_30361966 | Mandrill sub-account identifier |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 30,000+ security professionals. Each post breaks down one attack — what it looked like, why it worked, and what you can do about it.
/Concentrix%20Case%20Study.webp?width=568&height=326&name=Concentrix%20Case%20Study.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
