The email landed in the IRONSCALES billing inbox on a Monday afternoon. A Trello notification, clean and professional. "Esigns Document Notice." A card titled "Closing Settlement for Ironscales," dated that day, with a single blue button: View Document.
The template was pixel-perfect. App Store and Google Play badges in the footer. Atlassian privacy policy links. "This email was sent by Trello." Every visual detail matched what a real Trello notification looks like. And the message was addressed by name to billing@ironscales.com, explicitly calling out "Closing Settlement for Ironscales" as the document requiring review.
Someone was phishing the phishing company. And they were doing it well.
The sender address, boletos@gerenciadordeimobiliarias[.]com[.]br, belongs to a Brazilian real estate management platform registered since 2006. It is not a throwaway domain. It carried twenty years of reputation. And the attacker had full control of its SendGrid configuration.
The email passed every authentication check. SPF: pass. DKIM: pass (signature verified against the domain's published key). DMARC: pass. Microsoft's composite authentication score: 100 out of 100. The sending IP, 159[.]183[.]224[.]102, resolved to SendGrid's outbound infrastructure (s.wfbtzhss.outbound-mail.sendgrid[.]net), and the domain's SPF record explicitly authorized it.
According to the FBI IC3 2024 Internet Crime Report, business email compromise and credential theft accounted for over $2.9 billion in reported losses. The attacks that drive those numbers look exactly like this: fully authenticated, contextually targeted, and routed through infrastructure that reputation engines trust.
The subject line, "Final Follow-Up for billing: Please Review When Available," combined urgency with role-specific targeting. This was not a spray-and-pray campaign. The attacker knew the billing address, the company name, and the kind of document language that would prompt a click from someone in a finance role.
The "View Document" button is where this attack gets interesting.
The first hop passed through SendGrid's click-tracking service at u38748638[.]ct[.]sendgrid[.]net. Click tracking is standard for email service providers. It rewrites every link to route through a tracking domain before forwarding the recipient to the intended destination. Attackers love this because the visible URL in the email points to a recognized, high-reputation domain rather than their own infrastructure.
The second hop landed on urlsand[.]esvalabs[.]com. Esvalabs is the domain for Libraesva, an Italian email security vendor. Their "urlsand" service is a URL sandboxing product designed to scan and rewrite links for safe delivery. The attacker threaded the phishing URL through Libraesva's own security sandbox as a redirect waypoint.
The third hop routed through shared[.]outlook[.]inky[.]com and link[.]edgepilot[.]com. Inky is another email security platform. EdgePilot is their link protection product. The attacker's credential harvesting destination was wrapped inside Inky's safe-link rewriting infrastructure.
To summarize the redirect chain:
`` SendGrid click tracker > Libraesva URL sandbox > Inky safe-link rewriter > credential harvester ``
Each hop serves a purpose. SendGrid provides initial reputation cover. Libraesva's sandbox domain passes URL reputation checks because security vendor infrastructure is almost never blocklisted. Inky's safe-link domain adds another trusted layer. By the time the victim's browser reaches the final destination, the URL has passed through three layers of infrastructure that most security tools treat as inherently trustworthy.
The Verizon 2024 Data Breach Investigations Report found that credential theft remains the top action variety in breaches. The Microsoft Digital Defense Report 2024 specifically calls out abuse of legitimate services as a growing phishing delivery vector.
See Your Risk: Calculate how many threats your SEG is missing
When the final redirect resolved, the destination presented a Libraesva-branded interstitial page. "Please confirm you are a human." A CAPTCHA gate, hosted on Libraesva's own domain, designed to prevent automated analysis tools from reaching the payload behind it. This is a well-known anti-analysis technique (T1036.005) that forces a human interaction before exposing the credential harvesting form.
The attacker built a chain where every observable artifact, the sender domain, the email authentication, the URL domains in the redirect path, the interstitial page branding, belongs to a legitimate organization. Nothing in the link chain pointed to a domain the attacker registered.
| Technique | ID | Application |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Trello notification template with malicious "View Document" CTA |
| Stage Capabilities: Link Target | T1608.005 | Multi-hop redirect chain staged through SendGrid, Libraesva, and Inky infrastructure |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Pixel-perfect Trello notification template with Atlassian branding elements |
| Valid Accounts | T1078 | Compromised Brazilian domain with full SendGrid ESP authorization |
| Type | Value | Context |
|---|---|---|
| Sender Address | boletos@gerenciadordeimobiliarias[.]com[.]br | Compromised Brazilian domain, first-time sender |
| Sender Domain | gerenciadordeimobiliarias[.]com[.]br | Registered 2006, Brazilian real estate platform |
| Sending IP | 159[.]183[.]224[.]102 | SendGrid outbound infrastructure |
| SendGrid Subdomain | em1550[.]gerenciadordeimobiliarias[.]com[.]br | ESP envelope domain (Return-Path) |
| Click Tracker | u38748638[.]ct[.]sendgrid[.]net | SendGrid click-tracking, obscures final destination |
| Redirect Hop 1 | urlsand[.]esvalabs[.]com | Libraesva URL sandbox, abused as redirect waypoint |
| Redirect Hop 2 | shared[.]outlook[.]inky[.]com | Inky safe-link rewriter, abused as redirect waypoint |
| Redirect Hop 3 | link[.]edgepilot[.]com | Inky EdgePilot link protection infrastructure |
| Subject Line | Final Follow-Up for billing: Please Review When Available - RFIMt0 | Role-targeted urgency with random string suffix |
Every traditional email authentication check gave this message a perfect score. SPF, DKIM, DMARC, composite authentication. All passed. A SEG relying on authentication signals would have delivered this email without hesitation.
Themis flagged it at 90% confidence as credential theft. The detection was built on behavioral signals that authentication cannot evaluate: first-time sender to this mailbox, high-risk sender classification based on community intelligence from 35,000+ security professionals, anomalous link patterns where the displayed brand (Trello/Atlassian) did not match the sending domain (a Brazilian real estate company), and redirect chain complexity that indicated deliberate obfuscation.
The email was automatically quarantined across all four affected mailboxes within seconds of delivery.
Authentication is not intent. A compauth score of 100 means the infrastructure is correctly configured. It says nothing about whether the person controlling it is sending legitimate mail. Twenty years of domain age and valid DKIM signatures do not make a message safe.
Security vendor infrastructure is not immune to abuse. This attack routed through the URL scanning and link rewriting products of two competing email security companies. Treating those domains as inherently safe creates blind spots that attackers actively exploit.
Role-based targeting demands role-aware detection. "Closing Settlement" sent to a billing address is not random. Detection systems need to weigh content against recipient role and sender history, not just evaluate links and headers in isolation.
Multi-hop redirects defeat single-layer URL inspection. Each redirect in this chain passed through a domain with clean reputation. Static URL blocklists cannot keep up with chains that weaponize trusted infrastructure.
The attacker who targeted IRONSCALES billing did not make a mistake. They picked a company that would recognize the attack. What protected our team was not authentication, not URL reputation, and not the two security vendor platforms the attacker routed through. It was behavioral AI that understood the difference between what the email claimed to be and what it actually was.