An email with the subject "Annual Salary wages and Employer Provided Benefits" arrived at a nonprofit organization. The sender address used the organization's name with a .com TLD. The organization operates on .org. The email body was completely empty. The only content was a 9 KB ODT attachment named after the organization. Everything about this attack depended on the recipient not noticing that one TLD was wrong.
The legitimate domain is gridalternatives[.]org. The sender used gridalternatives[.]com, a domain registered through GoDaddy in December 2006. This is not a fresh squat. The .com variant has existed for nearly 20 years, which means it carries none of the newly registered domain signals that scanners use to flag suspicious senders.
The attacker provisioned a Microsoft 365 tenant, gridalt[.]onmicrosoft[.]com, and used it to sign the message. DKIM passed for that tenant. But SPF returned NONE for gridalternatives[.]com, meaning the .com domain itself published no SPF record authorizing any sending host. DMARC could not evaluate cleanly due to the domain mismatch between the envelope and signing infrastructure. ARC validation passed at the Google hop (i=2), adding one more layer of apparent legitimacy to the delivery chain.
The relay IP, 192[.]3[.]7[.]3, belongs to ColoCrossing infrastructure in Buffalo, NY. Not a cloud email provider. Not a known ESP. Just a commodity hosting relay sitting between the M365 tenant and the recipient's mail server.
For secure email gateways that rely on authentication results and domain reputation, this message presented a mixed but non-blocking signal: a passing DKIM signature, no SPF enforcement, and a 20-year-old domain. Most would deliver it.
The email body contained nothing. No text. No links. No images. The entire message was the subject line and the attachment.
The attachment, an ODT file generated by Pandoc 3.8 on April 28, 2026, was clean by every static analysis measure. No macros. No external links. No embedded forms. No scripting. Standard ODF namespace URIs only. The single embedded object was an image (Pictures/0.png). A sandbox would detonate it and find nothing actionable.
That combination, empty body plus clean attachment, is the tell. The subject line creates the urgency (payroll, salary, benefits). The empty body forces the recipient to open the file for context. The file itself may be a trust-building first touch in a multi-stage campaign, a reconnaissance probe to confirm the mailbox is active and the recipient engages with payroll content, or a template for a future weaponized version once the sender establishes familiarity.
The ODT format is itself a choice. Most phishing attachments arrive as PDF, DOCX, or HTML. ODT is unusual enough to receive less scanner attention while still opening natively in Microsoft Word and LibreOffice. The Pandoc generator string suggests scripted, not manual, document creation.
See Your Risk: Calculate how many threats your SEG is missing
TLD confusion succeeds because humans read organization names, not domain suffixes. When gridalternatives[.]com appears in a header alongside a payroll subject line, the recipient's brain registers "Grid Alternatives" and stops parsing. The .com versus .org distinction disappears into the background, especially in mobile email clients that truncate sender addresses.
Adaptive AI and community-driven threat intelligence catch this pattern by correlating behavioral signals that authentication cannot evaluate: a first-time sender from a domain that resembles but does not match the recipient's own organization, an empty message body paired with an attachment, and a payroll subject line targeting a sector (nonprofit) where staff are less likely to have dedicated security teams reviewing inbound mail.
The attack surface here was not technical. It was perceptual. The entire threat lived in the gap between .com and .org.
| Type | Indicator | Context |
|---|---|---|
| Sender Domain | gridalternatives[.]com | TLD lookalike of legitimate .org domain, registered 2006-12-13 via GoDaddy |
| Legitimate Domain | gridalternatives[.]org | The real nonprofit organization's domain (for contrast) |
| M365 Tenant | gridalt[.]onmicrosoft[.]com | DKIM signing domain, purpose-provisioned tenant |
| Relay IP | 192[.]3[.]7[.]3 | ColoCrossing infrastructure, Buffalo, NY |
| Attachment | Gridalternatives.odt | 9,444 bytes, ODT format, generated by Pandoc/3.8 |
| Attachment Created | 2026-04-28 | Document creation date from file metadata |
| Embedded Image | Pictures/0.png | Single image object inside ODT archive |
| SPF Result | NONE | gridalternatives[.]com published no SPF record for sending hosts |
| ARC | Pass (i=2) | Google hop validated the chain |
| Subject | "Gridalternatives Annual Salary wages and Employer Provided Benefits" | Payroll-themed social engineering lure |