The sender name said Ottimate. The footer said Qubiqle Inc. Every link pointed to vendors.plateiq[.]com. Three different brand identities in a single payment notification, every authentication check clean, and a PDF attachment whose MIME type lied about what it was.
The email presented itself as a payment notification for $2,061.82 from "Polo Bar," formatted in a vendor-portal table with a payment initiation date set to a recent date. The call-to-action read "Visit the Vendor Portal." The template included duplicated content blocks, suggesting either a rendering error or a template assembled without cleanup.
The visible sender said "Ottimate," a name in the accounts-payable automation space. The footer credited "Qubiqle Inc." Every link resolved to vendors.plateiq[.]com through a Mandrill click-tracking wrapper at mandrillapp[.]com/track/click/30497155/vendors.plateiq[.]com. Three brand identities. One email. None of them aligned.
The FBI's 2024 Internet Crime Report documented over $2.9 billion in BEC losses, with payment notification and invoice diversion schemes representing a significant share. Attacks that impersonate vendor portals and payment platforms are a well-established vector for redirecting legitimate payment flows.
The email was sent through Mandrill, the transactional email platform operated by Mailchimp. The authentication results:
This is the core problem with authentication-only defenses. SPF, DKIM, and DMARC confirm that an email came from authorized infrastructure. When the sending platform is a legitimate ESP, the answer is always yes, regardless of what the email contains. A SEG evaluating this message would see passing authentication, a trusted platform with a clean reputation, and a PDF that scanned clean. Nothing in the signal chain would trigger a block.
See Your Risk: Calculate how many threats your SEG is missing
Every link in the email routed through Mandrill's click-tracking infrastructure. The "Visit the Vendor Portal" button pointed to mandrillapp[.]com/track/click/30497155/vendors.plateiq[.]com?p=..., not directly to the vendor portal.
The recipient sees a Mandrill URL, not the actual destination. Whether vendors.plateiq[.]com leads to a legitimate portal or a credential harvesting page is invisible at click time. URL scanners see mandrillapp[.]com, a trusted domain. Some follow the redirect to the final destination. Many stop at the first hop and classify the link as safe. This is MITRE ATT&CK T1608.005 (Stage Capabilities: Link Target): the click-tracking wrapper stages the actual payload URL behind trusted infrastructure.
An open-tracking pixel was also embedded, confirming delivery and open events back to the sender's Mandrill account.
The email carried a PDF attachment with a SHA256-hash filename. The actual content was PDF 1.4: no JavaScript, no AcroForm fields, no embedded files, no URLs. Static analysis came back clean.
But the MIME metadata declared the file as text/plain, not application/pdf. Email clients use MIME types to decide how to render attachments. Security scanners use them to route files to the correct analysis pipeline. A file labeled text/plain may bypass PDF-specific inspection entirely, skipping checks for embedded JavaScript, form fields, and URI actions.
Whether the mismatch was intentional evasion or a misconfigured template is ambiguous. The effect is the same: tools that trusted the MIME declaration over actual file content did not evaluate this as a PDF. This aligns with MITRE ATT&CK T1036.005 (Masquerading: Match Legitimate Name or Location).
Ottimate, PlateIQ, and Qubiqle are names in the accounts-payable automation space. It is plausible that Ottimate is a product name for the platform formerly known as PlateIQ, and that Qubiqle Inc. is the parent legal entity. Corporate rebrands routinely leave orphaned brand references in email templates and footers.
That hypothesis explains two of the three brands. It does not explain why all three appear in a single email with no bridging language connecting them. A legitimate rebrand would typically acknowledge the name change.
The alternative: an attacker assembled this template from multiple sources and failed to clean up the branding. Phishing kits frequently reuse templates from real services. When the sender configuration comes from one source, the footer from another, and the link structure from a third, this kind of multi-brand inconsistency is the result.
This maps to MITRE ATT&CK T1566.002 (Phishing: Spearphishing Link): a link-based payload delivered through a trusted platform, using brand identity confusion to reduce the recipient's ability to verify the message against a single authoritative source.
The PDF was clean. The links pointed to a trusted ESP wrapper. Authentication passed. Nothing in the message body contained known phishing keywords.
Themis, the IRONSCALES Adaptive AI, evaluated the behavioral signal cluster: three inconsistent brand identities in one message, a MIME type mismatch between declared and actual content, and link destinations obscured behind a click-tracking wrapper. The convergence of these signals flagged the message for review.
| Type | Indicator | Context |
|---|---|---|
| Sending Platform | mandrillapp[.]com | Mandrill (Mailchimp) transactional email, legitimate ESP |
| Sending IP | 205.201.131.1 | Mandrill outbound, SPF pass |
| Visible Sender Brand | Ottimate | Display name on the payment notification |
| Footer Entity | Qubiqle Inc. | Legal entity credited in the email footer |
| Link Domain | vendors.plateiq[.]com | Destination behind all Mandrill click wrappers |
| Click Wrapper URL | mandrillapp[.]com/track/click/30497155/vendors.plateiq[.]com?p=... | Obscures final destination from recipient and scanners |
| Attachment | PDF 1.4 (SHA256 hash filename) | MIME declared as text/plain, actual content is PDF |
| MIME Mismatch | text/plain declared for PDF content | May bypass PDF-specific scanner analysis |
| Authentication | SPF=pass, DKIM=pass (mandrillapp[.]com + plateiq[.]com), DMARC=pass | Full authentication via legitimate ESP infrastructure |
| Payment Amount | $2,061.82 | "Polo Bar" vendor payment in template |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | "Visit the Vendor Portal" CTA routed through Mandrill click wrapper to vendors.plateiq[.]com |
| Masquerading: Match Legitimate Name or Location | T1036.005 | PDF mislabeled as text/plain; three legitimate brand identities used interchangeably |
| Stage Capabilities: Link Target | T1608.005 | Mandrill click-tracking wrapper staging the actual destination URL behind trusted infrastructure |
Treat multi-brand inconsistency as a high-priority signal. When the sender name, footer entity, and link domains reference three different organizations with no explanation, the message warrants manual review regardless of authentication results.
Do not trust MIME declarations without content-type verification. A PDF labeled text/plain should trigger additional inspection, not less. Content-type sniffing (inspecting the file's magic bytes) catches the mismatch that MIME headers do not.
Follow click-tracking wrappers to the final destination. A clean verdict on a Mandrill or SendGrid wrapper URL means the wrapper domain is trusted, not that the destination is safe. Ensure your scanning pipeline follows the full redirect chain.
Evaluate ESP-authenticated email on content, not just authentication. Full SPF, DKIM, and DMARC pass on a Mandrill-delivered message confirms that Mandrill sent it. It does not confirm the message is legitimate. The authentication result is a statement about infrastructure, not intent.
| Attack | What happened |
|---|---|
| The Datadog Alert That Came From the Wrong Domain: Authenticated Brand Impersonation With All Links Pointing to Real Infrastructure | A fully authenticated Datadog monitor alert arrived from dtdg.co, not datadoghq.com. |
| The Subdomain That Fused Two Trusted Brands Into One Convincing Lie | Attackers fused two real brand names into a single subdomain, routed the message through Zix infrastructure to inherit enterprise authentication. |
| The PayPal Invoice That Passed Every Check Because PayPal Actually Sent It | A canceled PayPal invoice for $50 arrived with perfect SPF, DKIM, and DMARC authentication because PayPal's own infrastructure sent it. |
| The Graduation Sash Invoice That Every Security Check Approved | A $3,645 invoice for 55 custom graduation sashes arrived at a school district, sent through Shopify's legitimate email infrastructure. |
| Every Link Said U.S. Bank. Every Link Went Through Brevo. | A U.S. |