TL;DR Attackers sent a DocuSign-style credential phishing email from a Saudi football club domain (alqadsiah[.]com), embedded a healthcare cybersecurity vendor logo (Censinet) in the header, and signed the message with a business advisory firm's identity (BWG Global). The CTA routed through both Cisco secure-web and TrendMicro URL protection rewrites before landing on educargames[.]com, a phishing domain. Each brand layer addressed a different trust signal: the authenticated sender domain passed DKIM/DMARC, the visual branding invoked healthcare security credibility, and the professional signature normalized the request. The URL protection wrappers made the final destination harder for recipients to identify. IRONSCALES Adaptive AI flagged the attack at 74% confidence with a Credential Theft label, catching it through behavioral signals that brand layering and URL wrapping could not mask.
Severity: High Credential Harvesting Brand Impersonation Url Protection Abuse MITRE: {'id': 'T1566.002', 'name': 'Phishing: Spearphishing Link'} MITRE: {'id': 'T1036', 'name': 'Masquerading'} MITRE: {'id': 'T1204.001', 'name': 'User Execution: Malicious Link'}
The email header displayed a healthcare cybersecurity company's logo. The signature block belonged to a business advisory firm. The sending domain was registered to a Saudi football club. And the link to "View Completed Document(s)" routed through two separate URL protection services before reaching its actual destination.
Three brands. Zero connection between any of them. Every layer was chosen to answer a different question a recipient or a security tool might ask.
This is what credential harvesting looks like when attackers stop trying to perfect a single impersonation and start stacking partial ones. No single brand identity holds up to scrutiny. The attack is not designed to survive scrutiny. It is designed to generate enough momentary trust, from enough different angles, that the recipient clicks before questioning why a Saudi football club is sending DocuSign notifications through a healthcare vendor's letterhead.
Three Brands, Three Trust Signals
The email arrived from mohammed.ahmed@alqadsiah[.]com. Alqadsiah is a professional football club based in Saudi Arabia. The domain was registered in 2019 through Cloudflare with privacy-protected WHOIS. DKIM passed for alqadsiah[.]com. DMARC passed. The domain's authentication was properly configured, giving the message clean technical credibility.
The visual header featured the Censinet logo. Censinet is a healthcare cybersecurity risk management vendor based in the United States. There is no business relationship between a Saudi football club and a healthcare cybersecurity company that would explain this combination.
The email's signature block identified "[Named Contact]" from BWG Global, a business advisory firm. The signature included unsubscribe links pointing to surveys[.]bwgglobal[.]com. BWG Global has no connection to either Censinet or Alqadsiah.
Each brand layer targeted a different trust evaluation. The authenticated sender domain satisfied technical checks. The Censinet header provided visual authority in a cybersecurity context (if the recipient worked in healthcare or security, the logo would register as familiar). The BWG Global signature normalized the communication as a standard business document exchange. The FBI IC3 2024 Report documented over $2.9 billion in BEC losses, with brand impersonation evolving beyond single-brand spoofing into layered identity confusion designed to prevent recipients from forming a clear mental model of who is actually contacting them.
DocuSign Urgency With a Timestamp Anchor
The body language followed the DocuSign template playbook. "A secure document has been sent for your review." The subject line included a precise timestamp down to the second: "4/16/2026 10:43:47 AM." A blue "View Completed Document(s)" button served as the primary CTA.
The timestamp serves a specific psychological function. It anchors the email to a concrete moment, creating the impression that an automated system generated the message at that exact time. Legitimate DocuSign notifications include timestamps. Phishing emails that omit them lose a small but meaningful credibility signal. Including one, especially with second-level precision, borrows that signal.
The CISA phishing guidance advises recipients to be suspicious of urgent document-signing requests from unfamiliar senders. The challenge in this case is that the sender domain is not technically "unfamiliar" to the authentication stack. It passed every check. The unfamiliarity only becomes apparent when a human (or a behavioral model) asks why a Saudi football club is sending DocuSign notifications.
The URL Protection Wrappers That Became the Disguise
The "View Completed Document(s)" CTA did not point directly to the phishing domain. It routed through two legitimate URL protection services before reaching educargames[.]com/mm.
The redirect chain passed through a Cisco secure-web URL rewrite and a TrendMicro URL protection redirect. Both services are legitimate email security tools designed to scan and evaluate links before users reach the destination. In this case, the attacker weaponized both of them as obfuscation layers.
Here is the problem from the recipient's perspective. If the user hovers over the link before clicking, they see a Cisco or TrendMicro domain. Both are recognizable security brands. The visible URL reinforces the impression that the email has already been scanned and cleared. The actual destination, educargames[.]com, is buried inside encoded parameters that no human recipient would decode by inspection.
This maps to MITRE ATT&CK T1036 (Masquerading). The attack masquerades as a scanned, safe communication by inheriting the visual trust of the URL protection layer itself. The Verizon 2024 DBIR found the human element involved in 68% of breaches, and link evaluation (or the lack of it) is one of the most common failure points. When the link appears to point to a security vendor's domain, even trained recipients are less likely to question it.
See Your Risk: Calculate how many threats your SEG is missing
Authentication Passed. The ARC Chain Did Not.
The message's authentication results tell a split story. DKIM passed for alqadsiah[.]com. DMARC passed. SPF returned a softfail from the originating IP 46[.]225[.]7[.]226, which resolved to a PTR record at static[.]226[.]7[.]225[.]46[.]clients[.]your-server[.]de, a German hosting provider.
The ARC (Authenticated Received Chain) told a different story. At hop i=2, the ARC chain validation returned cv=fail. This means the authentication seal broke during transit, indicating the message was modified after the initial authentication checks. Microsoft assigned a Spam Confidence Level (SCL) of 5, which delivered the message to Junk rather than the inbox.
ARC failures are an underused detection signal. Many organizations do not act on them because ARC is not universally adopted and forwarding scenarios can produce legitimate failures. In this case, the ARC failure aligned with other anomalies: the SPF softfail, the brand mismatch between sender domain and visual content, and the first-time sender status. Individually, each signal is ambiguous. Together, they form a pattern.
What the Behavioral Layer Caught
Microsoft's native filtering caught the SCL signal and routed the message to Junk. IRONSCALES Adaptive AI flagged the email at 74% confidence with a Credential Theft label, applying inline mitigation across two affected mailboxes.
The detection was not based on the phishing domain's reputation (educargames[.]com was behind two redirect layers). It was based on behavioral correlation. The sender had no prior relationship with the recipient organization. The visual branding (Censinet) had no connection to the sender domain (alqadsiah[.]com). The signature identity (BWG Global) matched neither the visual header nor the sender. The CTA used urgency language with a document-signing lure. And across the IRONSCALES community of 35,000+ security professionals, similar triple-brand patterns had already been surfaced by other organizations.
The 74% confidence score reflects the challenge of this attack type. No single signal was definitive. The brand mismatch was unusual but not impossible in legitimate forwarded communications. The URL protection wrappers could have been applied by a recipient's own security stack. The ARC failure could have been a legitimate forwarding artifact. Behavioral AI operates on the aggregate weight of these signals, and in this case, the aggregate was sufficient for automated action before any user clicked.
Defensive Takeaways
This attack exploits a specific gap in how both humans and machines evaluate trust in email. A few adjustments address this pattern:
- Flag multi-brand inconsistencies automatically. When the sender domain, visual branding, and signature identity reference three different organizations, that mismatch should trigger elevated scrutiny regardless of authentication results. This is detectable with header and content analysis that most SEGs do not perform.
- Treat URL protection wrappers as neutral infrastructure, not trust endorsements. A link pointing to
cisco[.]com or trendmicro[.]com means the link has been rewritten, not that it has been cleared. Train users and tune detection logic accordingly.
- Act on ARC failures in combination with other signals. ARC failures alone produce too many false positives to block on. ARC failures combined with SPF softfail, first-time sender, and brand mismatch are a different story. Build detection rules that correlate these signals rather than evaluating them independently.
- Scrutinize authenticated football, sports, and entertainment domains. Compromised domains from organizations outside the recipient's industry vertical are increasingly common as sending infrastructure. An email from a sports club domain arriving at a technology or healthcare company should face higher scrutiny by default.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sender Domain | alqadsiah[.]com | Saudi football club, registered 2019, Cloudflare, privacy WHOIS |
| Sender Address | mohammed.ahmed@alqadsiah[.]com | Display name not specified in case data |
| Visual Branding | Censinet | Healthcare cybersecurity vendor logo in email header |
| Signature Identity | BWG Global / "[Named Contact]" | Business advisory firm signature block |
| Unsubscribe Domain | surveys[.]bwgglobal[.]com | BWG Global survey infrastructure |
| Phishing Domain | educargames[.]com/mm | Final credential harvest destination |
| Originating IP | 46[.]225[.]7[.]226 | PTR: static[.]226[.]7[.]225[.]46[.]clients[.]your-server[.]de (Germany) |
| URL Protection Hop | Cisco secure-web | URL rewrite wrapper in redirect chain |
| URL Protection Hop | TrendMicro URL protection | URL rewrite wrapper in redirect chain |
MITRE ATT&CK Mapping
| Technique | ID | Relevance |
|---|
| Phishing: Spearphishing Link | T1566.002 | DocuSign-themed credential harvest with redirect chain |
| Masquerading | T1036 | Triple brand identity layering across sender, header, and signature |
| User Execution: Malicious Link | T1204.001 | CTA designed to trigger click-through to credential capture page |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 30,000+ security professionals. Each post breaks down one attack — what it looked like, why it worked, and what you can do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
