The Invoice That Spelled 'Approved' in Three Different Alphabets

The subject line read "(Ref INV/2026/00651) Approved." At first glance, perfectly ordinary. But the "N" in "INV" was a Greek capital Nu, and both "p" characters in "Approved" were Cyrillic Er. Three characters from three alphabets, assembled to look like a single English word. Keyword filters scanning for "invoice" or "approved" would never match.

The sender address was URL-encoded and routed through oer-reply@orvx[.]awsapps[.]com, a system-like address on Amazon WorkMail infrastructure. The message was sent via Amazon SES from IP 54[.]240[.]8[.]86, with SPF and DKIM passing cleanly. The body demanded immediate action: "process the full balance by Friday, 26 July 2024."

This is URL rewriting abuse layered on top of Unicode obfuscation, a combination that makes every detection layer work against its own assumptions.

Three Hops, Three Trusted Domains, One Harvesting Page

The "REVIEW DOCUMENT" button triggered a redirect chain that passed through three separate legitimate platforms before reaching the attacker's credential harvesting page.

The first hop landed on url-shield[.]securence[.]com, a URL scanning proxy operated by an email security vendor. The second hop redirected through trackcmp[.]net, ActiveCampaign's click-tracking infrastructure. The third hop routed through ct[.]sendgrid[.]net, SendGrid's click-tracking redirect service. Each domain in the chain carries strong reputation. URL scanners evaluating any individual hop would see a trusted service and move on.

This is the structural weakness of reputation-based URL scanning. Each redirect is evaluated in isolation. The security vendor's domain passes. The marketing platform's domain passes. The ESP's domain passes. The final destination, where the credential form actually lives, may never be evaluated at all if the scanner stops at an earlier hop.

The Quoted Thread That Built Trust

Below the CTA, the email included a quoted reply thread with a detailed signature block from De Montfort University, complete with a staff member's name, title, department, and contact information. The thread referenced prior correspondence about the invoice, creating the appearance of an ongoing business relationship.

This is ESP abuse at the infrastructure level combined with social engineering at the content level. The fabricated thread makes the email look like a continuation of legitimate communication, while the redirect chain launders the malicious URL through trusted intermediaries.

Adaptive AI flagged the message based on first-time sender signals, the mixed-script subject line anomaly, and the multi-hop redirect pattern that traversed three unrelated service providers. The behavioral convergence of these signals triggered high-risk classification before the recipient could click.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping