The email header displayed a healthcare cybersecurity company's logo. The signature block belonged to a business advisory firm. The sending domain was registered to a Saudi football club. And the link to "View Completed Document(s)" routed through two separate URL protection services before reaching its actual destination.
Three brands. Zero connection between any of them. Every layer was chosen to answer a different question a recipient or a security tool might ask.
This is what credential harvesting looks like when attackers stop trying to perfect a single impersonation and start stacking partial ones. No single brand identity holds up to scrutiny. The attack is not designed to survive scrutiny. It is designed to generate enough momentary trust, from enough different angles, that the recipient clicks before questioning why a Saudi football club is sending DocuSign notifications through a healthcare vendor's letterhead.
The email arrived from mohammed.ahmed@alqadsiah[.]com. Alqadsiah is a professional football club based in Saudi Arabia. The domain was registered in 2019 through Cloudflare with privacy-protected WHOIS. DKIM passed for alqadsiah[.]com. DMARC passed. The domain's authentication was properly configured, giving the message clean technical credibility.
The visual header featured the Censinet logo. Censinet is a healthcare cybersecurity risk management vendor based in the United States. There is no business relationship between a Saudi football club and a healthcare cybersecurity company that would explain this combination.
The email's signature block identified "[Named Contact]" from BWG Global, a business advisory firm. The signature included unsubscribe links pointing to surveys[.]bwgglobal[.]com. BWG Global has no connection to either Censinet or Alqadsiah.
Each brand layer targeted a different trust evaluation. The authenticated sender domain satisfied technical checks. The Censinet header provided visual authority in a cybersecurity context (if the recipient worked in healthcare or security, the logo would register as familiar). The BWG Global signature normalized the communication as a standard business document exchange. The FBI IC3 2024 Report documented over $2.9 billion in BEC losses, with brand impersonation evolving beyond single-brand spoofing into layered identity confusion designed to prevent recipients from forming a clear mental model of who is actually contacting them.
The body language followed the DocuSign template playbook. "A secure document has been sent for your review." The subject line included a precise timestamp down to the second: "4/16/2026 10:43:47 AM." A blue "View Completed Document(s)" button served as the primary CTA.
The timestamp serves a specific psychological function. It anchors the email to a concrete moment, creating the impression that an automated system generated the message at that exact time. Legitimate DocuSign notifications include timestamps. Phishing emails that omit them lose a small but meaningful credibility signal. Including one, especially with second-level precision, borrows that signal.
The CISA phishing guidance advises recipients to be suspicious of urgent document-signing requests from unfamiliar senders. The challenge in this case is that the sender domain is not technically "unfamiliar" to the authentication stack. It passed every check. The unfamiliarity only becomes apparent when a human (or a behavioral model) asks why a Saudi football club is sending DocuSign notifications.
The "View Completed Document(s)" CTA did not point directly to the phishing domain. It routed through two legitimate URL protection services before reaching educargames[.]com/mm.
The redirect chain passed through a Cisco secure-web URL rewrite and a TrendMicro URL protection redirect. Both services are legitimate email security tools designed to scan and evaluate links before users reach the destination. In this case, the attacker weaponized both of them as obfuscation layers.
Here is the problem from the recipient's perspective. If the user hovers over the link before clicking, they see a Cisco or TrendMicro domain. Both are recognizable security brands. The visible URL reinforces the impression that the email has already been scanned and cleared. The actual destination, educargames[.]com, is buried inside encoded parameters that no human recipient would decode by inspection.
This maps to MITRE ATT&CK T1036 (Masquerading). The attack masquerades as a scanned, safe communication by inheriting the visual trust of the URL protection layer itself. The Verizon 2024 DBIR found the human element involved in 68% of breaches, and link evaluation (or the lack of it) is one of the most common failure points. When the link appears to point to a security vendor's domain, even trained recipients are less likely to question it.
See Your Risk: Calculate how many threats your SEG is missing
The message's authentication results tell a split story. DKIM passed for alqadsiah[.]com. DMARC passed. SPF returned a softfail from the originating IP 46[.]225[.]7[.]226, which resolved to a PTR record at static[.]226[.]7[.]225[.]46[.]clients[.]your-server[.]de, a German hosting provider.
The ARC (Authenticated Received Chain) told a different story. At hop i=2, the ARC chain validation returned cv=fail. This means the authentication seal broke during transit, indicating the message was modified after the initial authentication checks. Microsoft assigned a Spam Confidence Level (SCL) of 5, which delivered the message to Junk rather than the inbox.
ARC failures are an underused detection signal. Many organizations do not act on them because ARC is not universally adopted and forwarding scenarios can produce legitimate failures. In this case, the ARC failure aligned with other anomalies: the SPF softfail, the brand mismatch between sender domain and visual content, and the first-time sender status. Individually, each signal is ambiguous. Together, they form a pattern.
Microsoft's native filtering caught the SCL signal and routed the message to Junk. IRONSCALES Adaptive AI flagged the email at 74% confidence with a Credential Theft label, applying inline mitigation across two affected mailboxes.
The detection was not based on the phishing domain's reputation (educargames[.]com was behind two redirect layers). It was based on behavioral correlation. The sender had no prior relationship with the recipient organization. The visual branding (Censinet) had no connection to the sender domain (alqadsiah[.]com). The signature identity (BWG Global) matched neither the visual header nor the sender. The CTA used urgency language with a document-signing lure. And across the IRONSCALES community of 35,000+ security professionals, similar triple-brand patterns had already been surfaced by other organizations.
The 74% confidence score reflects the challenge of this attack type. No single signal was definitive. The brand mismatch was unusual but not impossible in legitimate forwarded communications. The URL protection wrappers could have been applied by a recipient's own security stack. The ARC failure could have been a legitimate forwarding artifact. Behavioral AI operates on the aggregate weight of these signals, and in this case, the aggregate was sufficient for automated action before any user clicked.
This attack exploits a specific gap in how both humans and machines evaluate trust in email. A few adjustments address this pattern:
cisco[.]com or trendmicro[.]com means the link has been rewritten, not that it has been cleared. Train users and tune detection logic accordingly.| Type | Indicator | Context |
|---|---|---|
| Sender Domain | alqadsiah[.]com | Saudi football club, registered 2019, Cloudflare, privacy WHOIS |
| Sender Address | mohammed.ahmed@alqadsiah[.]com | Display name not specified in case data |
| Visual Branding | Censinet | Healthcare cybersecurity vendor logo in email header |
| Signature Identity | BWG Global / "[Named Contact]" | Business advisory firm signature block |
| Unsubscribe Domain | surveys[.]bwgglobal[.]com | BWG Global survey infrastructure |
| Phishing Domain | educargames[.]com/mm | Final credential harvest destination |
| Originating IP | 46[.]225[.]7[.]226 | PTR: static[.]226[.]7[.]225[.]46[.]clients[.]your-server[.]de (Germany) |
| URL Protection Hop | Cisco secure-web | URL rewrite wrapper in redirect chain |
| URL Protection Hop | TrendMicro URL protection | URL rewrite wrapper in redirect chain |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | DocuSign-themed credential harvest with redirect chain |
| Masquerading | T1036 | Triple brand identity layering across sender, header, and signature |
| User Execution: Malicious Link | T1204.001 | CTA designed to trigger click-through to credential capture page |