The subject line read "(Ref INV/2026/00651) Approved." At first glance, perfectly ordinary. But the "N" in "INV" was a Greek capital Nu, and both "p" characters in "Approved" were Cyrillic Er. Three characters from three alphabets, assembled to look like a single English word. Keyword filters scanning for "invoice" or "approved" would never match.
The sender address was URL-encoded and routed through oer-reply@orvx[.]awsapps[.]com, a system-like address on Amazon WorkMail infrastructure. The message was sent via Amazon SES from IP 54[.]240[.]8[.]86, with SPF and DKIM passing cleanly. The body demanded immediate action: "process the full balance by Friday, 26 July 2024."
This is URL rewriting abuse layered on top of Unicode obfuscation, a combination that makes every detection layer work against its own assumptions.
The "REVIEW DOCUMENT" button triggered a redirect chain that passed through three separate legitimate platforms before reaching the attacker's credential harvesting page.
The first hop landed on url-shield[.]securence[.]com, a URL scanning proxy operated by an email security vendor. The second hop redirected through trackcmp[.]net, ActiveCampaign's click-tracking infrastructure. The third hop routed through ct[.]sendgrid[.]net, SendGrid's click-tracking redirect service. Each domain in the chain carries strong reputation. URL scanners evaluating any individual hop would see a trusted service and move on.
This is the structural weakness of reputation-based URL scanning. Each redirect is evaluated in isolation. The security vendor's domain passes. The marketing platform's domain passes. The ESP's domain passes. The final destination, where the credential form actually lives, may never be evaluated at all if the scanner stops at an earlier hop.
Below the CTA, the email included a quoted reply thread with a detailed signature block from De Montfort University, complete with a staff member's name, title, department, and contact information. The thread referenced prior correspondence about the invoice, creating the appearance of an ongoing business relationship.
This is ESP abuse at the infrastructure level combined with social engineering at the content level. The fabricated thread makes the email look like a continuation of legitimate communication, while the redirect chain launders the malicious URL through trusted intermediaries.
Adaptive AI flagged the message based on first-time sender signals, the mixed-script subject line anomaly, and the multi-hop redirect pattern that traversed three unrelated service providers. The behavioral convergence of these signals triggered high-risk classification before the recipient could click.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender Address | oer-reply@orvx[.]awsapps[.]com | URL-encoded, system-like sender via Amazon WorkMail |
| Sending IP | 54[.]240[.]8[.]86 | Amazon SES infrastructure |
| Redirect Hop 1 | url-shield[.]securence[.]com | Email security vendor URL scanning proxy |
| Redirect Hop 2 | trackcmp[.]net | ActiveCampaign click-tracking redirect |
| Redirect Hop 3 | ct[.]sendgrid[.]net | SendGrid click-tracking redirect |
| Subject Line | (Ref IΝV/2026/00651) Aррroved | Mixed-script: Greek Nu (Ν), Cyrillic Er (р) |
| Quoted Thread | De Montfort University signature block | Fabricated reply thread for social engineering |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | CTA button delivering credential harvesting via redirect chain |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Fabricated university thread and invoice branding |
| Obfuscated Files or Information | T1027 | Mixed-script Unicode substitution in subject line |
| Attack | What happened |
|---|---|
| The Phishing Link Encrypted Itself: OpenSSL Salted Base64 in the URL | A phishing email obfuscated its payload links using OpenSSL salted base64 encryption tokens. |
| How ARC Re-Signing and an IP Allow-List Turned Three Authentication Failures Into SCL -1 | A phishing email claiming to be a OneDrive share from an outlook.com address originated from a county government mail server. |
| When the Safety Wrapper Becomes the Disguise: Brazilian NF-e Phishing via Safe Links Rewrite | A Portuguese-language invoice lure authenticated through a compromised Brazilian domain used is.gd to hide its payload. |
| The Contract Email That Wasn't Spelled the Way You Think: Unicode Homoglyphs, a QR Code, and a Marketing Gateway | A phishing email combined Cyrillic homoglyphs and zero-width characters in the sender address, a QR code as the only CTA. |
| The Subdomain That Fused Two Trusted Brands Into One Convincing Lie | Attackers fused two real brand names into a single subdomain, routed the message through Zix infrastructure to inherit enterprise authentication. |