The Zix Portal That Authenticated Itself Into Your Inbox

A Secure Portal That Every Scanner Trusted

The email looked exactly like a Zix encrypted message notification. The sender name matched a real title company employee. The subject line referenced documents the recipient expected to receive. SPF passed. DKIM passed. DMARC passed.

Then the recipient clicked "Open Message" and landed on a credential-harvesting page with their email address already filled in.

This attack targeted the online banking operations team at a regional financial institution, impersonating a title company through a subdomain on legitimate Zix secure-email infrastructure. The attacker didn't spoof a domain, didn't forge authentication headers, and didn't use a freshly registered throwaway. They used the real thing, configured it to serve a fake login page, and let the trust signals do the rest.

How Legitimate Infrastructure Became the Weapon

The delivery chain started at fidelityusa.secureemailportal.com, a subdomain of secureemailportal.com. That parent domain has been registered since September 2017, runs on ZixCorp name servers (NS01/NS02/NS03.ZIXCORP.COM), and is managed through Safenames Ltd, a registrar commonly used by enterprise customers. This is not a disposable phishing domain. It is production infrastructure for encrypted email delivery.

The attacker registered the fidelityusa subdomain on this platform, chose a sender name matching a real employee at a title services company, and configured the Reply-To address on a separate domain: fidelity-usa.com. That domain, registered through Bluehost since 2011 and updated as recently as February 2026, sits on entirely different name servers (IPOWERWEB.COM). The mismatch between the sending domain and the Reply-To domain is the first fracture in an otherwise convincing setup.

The email itself was a pixel-perfect replica of a standard Zix secure message notification. A gray-bordered header announced "New Zix secure email message from The Baker Firm - Fidelity National Title." Below it, a large "Open Message" button. Below that, boilerplate about message expiration (set a few weeks out), instructions not to reply to the notification, and a plaintext fallback link. Every element matched what a real Zix notification looks like.

Because the message originated from actual Zix infrastructure, it carried legitimate authentication. At the first receiving hop (IP 199.30.236.16, which resolves to secureemailportal.com), SPF passed, DKIM signature verified, and DMARC returned a full pass with compauth=pass reason=100. The message was indistinguishable from a real encrypted business communication at the protocol level.

The Credential Harvesting Page Behind the Button

Clicking "Open Message" loaded a branded login page for "The Baker Firm - Fidelity National Title Message Center." The page displayed a company logo, a welcome header, and a credential form with the recipient's email address pre-populated. No additional context, no document preview, no sender verification. Just an email field, a password field, a "Sign In" button, and a "Remember Me" checkbox.

Below the primary login form, the page offered "Sign In With" options for Google and Microsoft. These SSO buttons expanded the attack surface significantly. A victim who chose to authenticate via their Google or Microsoft account would hand over OAuth tokens or credentials for cloud platforms that likely contain far more sensitive data than any single email password.

The page also included "Forgot your password?", "New to secure email?", and "Need more assistance?" sections with Reset, Register, and Help buttons. These details added polish that a rushed phishing kit typically lacks. The page was designed to feel like a real portal, not just look like one.

IRONSCALES credential harvesting detection flagged this message based on behavioral and contextual signals that pure authentication checks missed. The platform identified the mismatch between the sending infrastructure, the Reply-To domain, and the lack of prior communication history between the sender and the targeted mailbox.

See Your Risk: Calculate how many threats your SEG is missing

The Relay Chain That Complicated Detection

The full relay path tells a story about why traditional security tools struggled with this message:

1. The original message traversed internal Zix infrastructure (zixworks.com, zixcorp.com, zixmail.net) before reaching secureemailportal.com at IP 199.30.236.16.
2. At that hop, full authentication passed (T1566.002). The message was cryptographically legitimate.
3. The message then passed through votiro-relay1.prod.votiro.com (44.206.213.130, an AWS EC2 instance), a content sanitization gateway that disarms and reconstructs attachments.
4. Votiro's processing modified the message body, breaking the DKIM body hash. At the final receiving hop, authentication results flipped: SPF softfail, DKIM fail, DMARC fail.

This created an unusual paradox. The message was legitimate at origin but appeared suspicious after passing through a security tool designed to make email safer. Organizations that key quarantine decisions on final-hop authentication results would have flagged this message for the wrong reasons. Organizations that weighted the original authentication (as many SEGs do) would have let it through with full trust.

The attacker likely understood this dynamic. By sending through infrastructure that produces clean authentication at origin, they ensured the message would pass initial screening. Any downstream authentication failures caused by intermediary processing would look like a security tool artifact, not a phishing indicator.

What Defenders Should Check Tomorrow Morning

This attack maps to MITRE ATT&CK T1566.002 (Phishing: Spearphishing Link) for initial delivery and T1078 (Valid Accounts) as the intended objective. The attacker's use of a pre-configured legitimate platform to deliver credential harvesting lures represents a growing pattern that the FBI IC3 2024 report specifically highlights in the context of real estate and title fraud.

Three defensive actions apply directly to this case:

Audit your Zix and secure-portal subdomain allow lists. If your mail flow trusts secureemailportal.com as a known secure-email provider, any subdomain on that platform inherits that trust. Validate that each subdomain corresponds to an actual business relationship.

Compare Reply-To domains against sending domains. This message sent from fidelityusa.secureemailportal.com but set Reply-To on fidelity-usa.com. The Verizon DBIR 2024 notes that domain mismatches in sender fields remain one of the most reliable phishing indicators, yet most SEG configurations do not flag them when the sending domain passes authentication.

Treat SSO buttons on external portals as a credential escalation risk. A phishing page that offers Google and Microsoft sign-in options is not just harvesting one password. It is attempting to capture OAuth tokens or federated credentials that unlock entire cloud environments. The Microsoft Digital Defense Report 2024 documents this token-harvesting pattern as an accelerating trend in business email compromise campaigns.

Indicators of Compromise