The email came from andrew.musial@thermofisher[.]com. Thermo Fisher Scientific: $45 billion in annual revenue, Fortune 500, one of the most recognized names in life sciences. SPF passed. DKIM passed. DMARC passed. The sending infrastructure was Oracle Cloud, a relay that Thermo Fisher legitimately uses for application-generated email. Every reputation signal pointed to a trusted corporate sender.
The message was a collections notice for "Account 100400." The body asked the recipient to review an attached document. That was the entire payload delivery mechanism.
The email was relayed through smtp2[.]email[.]us-ashburn-1[.]ocs[.]oraclecloud[.]com at IP 147[.]154[.]59[.]193, Oracle Cloud Infrastructure's email delivery service in the Ashburn, Virginia region. The domain thermofisher[.]com has been registered since 2006, managed by MarkMonitor, the registrar used by most Fortune 500 companies for domain protection. SPF authorized Oracle Cloud's sending IPs. DKIM alignment confirmed the message was signed with Thermo Fisher's keys. DMARC passed.
This is the account takeover problem in its purest form. The attacker did not build infrastructure, register a domain, or configure DNS records. They compromised a legitimate account and inherited decades of domain reputation, enterprise-grade authentication, and the implicit trust that security tools extend to known corporate senders. A secure email gateway evaluating sender reputation would score this message favorably before ever examining the content.
The only links in the message pointed to Microsoft support destinations (aka[.]ms URLs), all of which scanned clean. The attachment was the sole vector, and the email body provided no inline invoice details, no payment amounts, no specific dates, and no recipient personalization beyond the generic account number "100400."
The language quality did not match what you would expect from a Fortune 500 finance department. The body contained redundant phrasing, inconsistent punctuation, and spacing errors. These are not decisive individually, but they are the kind of friction that indicates the message was composed by someone other than the account owner. Legitimate collections notices from enterprise ERP systems follow rigid templates with consistent formatting.
See Your Risk: Calculate how many threats your SEG is missing
The email passed every static check. The domain is real. The authentication is valid. The links are clean. The detection surface is entirely behavioral: a first-time external sender with no prior communication history, an attachment-focused CTA with zero contextual detail, and language quality inconsistent with the claimed sender's organizational standards. These are the signals that Adaptive AI weighs when authentication and content scanning find nothing to flag. Themis identified the anomaly pattern and the message was quarantined.
| Type | Indicator | Context |
|---|---|---|
| Sender Address | andrew.musial@thermofisher[.]com | Compromised Fortune 500 corporate account |
| Sending Domain | thermofisher[.]com | Registered since 2006, managed by MarkMonitor |
| Sending Relay | smtp2[.]email[.]us-ashburn-1[.]ocs[.]oraclecloud[.]com | Oracle Cloud Infrastructure email service |
| Sending IP | 147[.]154[.]59[.]193 | Oracle Cloud relay, Ashburn VA region |
| Auth Results | SPF: pass, DKIM: pass, DMARC: pass | Full authentication via corporate infrastructure |
| Subject Line | [External] Collections Notification for Account 100400 | Generic account number, no recipient personalization |
| Links | aka[.]ms destinations only | All links to legitimate Microsoft support pages |
| Payload | Attachment (multipart/mixed) | Attachment-only CTA, no inline payment details |
| Content Anomalies | Redundant phrasing, punctuation/spacing errors | Quality inconsistent with Fortune 500 templates |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Attachment | T1566.001 | Attachment as sole payload delivery vector |
| Valid Accounts | T1078 | Compromised Thermo Fisher corporate account used for sending |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Real Fortune 500 identity and Oracle Cloud infrastructure |