Closing Settlement for Ironscales: A Trello Template Weaponized with Stolen Brand Identity

A Trello notification landed in four mailboxes at an email security company. The header read "TEAMS MEMO." Below it, a clean Atlassian-branded card stated that the recipient's own employer had sent an invite to review a "Closing Settlement." The "View Document" button sat centered beneath the card, exactly where Trello always puts it. App Store badges, a privacy policy link, and the standard "This email was sent by Trello" footer completed the illusion.

SPF passed. DKIM passed. DMARC passed with a compauth score of 100. The sending domain was a legitimate Brazilian real estate management platform. SendGrid delivered the message. Microsoft assigned an SCL of 1 and categorized the threat as NONE.

The email was a credential theft operation built on cross-brand impersonation, and it bypassed every authentication gate in the delivery chain.

Two Brands, One Lie

The attacker constructed trust from two directions simultaneously. The visual layer replicated a genuine Trello/Atlassian notification, complete with the collaboration platform's card layout, avatar initials ("CG"), date formatting (13/04/2026), and a full Trello footer with mobile app download badges and settings management links. Recipients who use Trello would recognize the template instantly.

The content layer injected a different brand entirely. The card body stated the recipient's own organization "sent you an invite to review completed revised document" with the title "Closing Settlement for [Company Name]." This cross-brand pairing is deliberate. The Trello template signals routine, trusted workflow. The organizational name signals internal authority and urgency. Neither brand sent the email.

This technique maps to MITRE ATT&CK T1036.005 (Masquerading: Match Legitimate Name or Location) and T1586.002 (Compromise Accounts: Email Accounts), with the initial delivery vector fitting T1566.002 (Phishing: Spearphishing Link). The 2024 Microsoft Digital Defense Report documented a 146% year-over-year increase in phishing campaigns abusing trusted SaaS notification templates, precisely because these templates inherit the visual trust of platforms recipients already interact with daily.

The Authentication Paradox

The sending domain, gerenciadordeimobiliarias[.]com[.]br, is registered to a Brazilian internet services company (Trafego Acesso a Internet Ltda) and has been active for years. The attacker configured SendGrid as the authorized sending platform under the subdomain em1550.gerenciadordeimobiliarias[.]com[.]br. The full authentication chain:

• SPF: Pass. IP 50[.]31[.]49[.]42 is authorized for em1550.gerenciadordeimobiliarias[.]com[.]br
• DKIM: Pass. Valid signature on d=gerenciadordeimobiliarias[.]com[.]br, selector s1
• DMARC: Pass, action=none
• compauth: 100 (Microsoft Composite Authentication, perfect score)
• SCL: 1 (lowest non-zero spam confidence level)

The Return-Path contained a SendGrid VERP-encoded bounce address: bounces+38748638-0e1a-[recipient]=[domain]@em1550.gerenciadordeimobiliarias[.]com[.]br. The X-SG-EID header confirmed SendGrid campaign infrastructure. This is not a compromised account forwarding a single message. It is a purpose-built sending pipeline, configured to pass every authentication check that legacy email security gateways rely on.

The 2024 Verizon DBIR found that 89% of organizations encountered at least one phishing email that passed DMARC validation. Authentication infrastructure does not evaluate content. It evaluates authorization. An attacker who controls the sending domain and configures proper DNS records will pass every check, every time.

The Click Chain: From SendGrid to Sandbox Interstitial

Every link in the email was wrapped in SendGrid click-tracking (u38748638[.]ct[.]sendgrid[.]net/ls/click?upn=...), a standard ESP feature that records click engagement before redirecting to the final destination. For the attacker, this tracking wrapper serves a dual purpose: it masks the true destination URL on hover, and it launders the link through SendGrid's domain reputation.

The primary "View Document" CTA resolved through a multi-hop redirect chain:

1. SendGrid click-tracking (u38748638[.]ct[.]sendgrid[.]net) records the click
2. Outlook Inky Safe Links (shared[.]outlook[.]inky[.]com) performs secondary URL inspection
3. Edge Pilot link protection (link[.]edgepilot[.]com) adds another inspection layer
4. esvalabs[.]com URL sandbox (urlsand[.]esvalabs[.]com) presents a Libraesva-branded interstitial page

See Your Risk: Calculate how many threats your SEG is missing

The final landing page displayed a "Please confirm you are a human" gate, a common technique for filtering automated URL scanners from the credential harvesting page that follows. The FBI IC3 2024 Annual Report documented $2.77 billion in business email compromise losses, with credential theft via click-tracking obfuscation cited as a growing vector for initial access.

The supporting links (Trello blog, Apple App Store, Google Play, Atlassian privacy policy) all resolved to legitimate destinations. This is standard for SaaS template phishing: surrounding one malicious CTA with dozens of clean, verifiable links reduces the malicious-to-clean URL ratio and suppresses aggregate link scoring.

Indicators of Compromise

What Caught It

Across the IRONSCALES network of 1,921 organizations and 35,000+ security professionals, cross-brand SaaS impersonation generates an average of 67.5 incidents per 100 mailboxes per month. This specific attack hit 4 mailboxes and was automatically resolved as phishing within minutes. Themis, the platform's adaptive AI engine, scored the email at 90% phishing confidence and flagged two key labels: Credential Theft and VIP Recipient.

The detection signals were behavioral, not technical. Authentication was perfect. URL scanners returned clean verdicts on every link. The template matched a real SaaS platform. But the combination of a first-time Brazilian sender, a collaboration platform template referencing a "Closing Settlement" from the recipient's own employer, and a single CTA routed through multi-hop click-tracking created a behavioral fingerprint that static rules cannot express and traditional gateway architectures cannot evaluate.

Authentication proves who sent the email. It says nothing about what the email is trying to do. When attackers build their phishing infrastructure to pass every authentication check by design, the only remaining signal is behavior. Template choice, sender history, content-to-brand misalignment, CTA destination obfuscation. These are the signals that separate a real Trello notification from a credential theft operation wearing Trello's skin.