TL;DR A marketing newsletter was sent to a CFO via a typosquatted domain that dropped a single letter from 'enterpriseinsights', making it 'entrpriseinsights.com'. The message passed authentication checks, carried real corporate branding, and used a legitimate email marketing platform. The CFO target and display name impersonation were the primary risk signals. No credential harvesting form appeared in the body, but the infrastructure was purpose-built for deception.
Severity: Medium Typosquatting Impersonation Cfo Targeting MITRE: {'id': 'T1583.001', 'name': 'Acquire Infrastructure: Domains'} MITRE: {'id': 'T1656', 'name': 'Impersonation'} MITRE: {'id': 'T1566.002', 'name': 'Phishing: Spearphishing Link'}
The email arrived at the finance department of a global industrial distributor and landed in the CFO's inbox. On the surface, it looked like a standard business intelligence newsletter: formatted HTML, corporate branding, recognizable logos, calls-to-action pointing to product pages. The sending domain passed authentication. The display name read as a known vendor.
One detail was off. The sending domain was entrpriseinsights[.]com, missing the second "e" in "enterprise."
That single omitted letter was the entire attack.
The Typosquat Infrastructure
The message was sent through a legitimate email marketing platform, routing the message from the anteriad@email[.]entrpriseinsights[.]com address. Anteriad is a real B2B data and media company. The email was formatted to impersonate a newsletter from a recognizable vendor brand.
WHOIS data on entrpriseinsights[.]com shows the domain was registered in January 2018, with a registrant update in November 2025. The registrant data is privacy-protected. There is no public-facing website associated with the domain. The January 2018 registration date makes this a long-standing piece of infrastructure, not a freshly minted one-use domain. Long registration age reduces the chance of age-based blocking while the 2025 update suggests the attacker reactivated or reconfigured the domain for a new campaign.
Because the sending domain was properly configured with the email marketing platform's SPF and DKIM records, both checks passed cleanly. The email spoofing signal was visible only to analysis comparing the sending domain character-by-character against the brand name it claimed to represent.
A CFO as the Intended Audience
The recipient was the CFO at a finance function within the distributor's organization. Finance executives are standard high-value targets in spear-phishing campaigns. Even in cases where the initial email carries no immediate credential harvesting component, reaching a CFO inbox with a convincing impersonation serves several purposes for an attacker.
First, it validates the mailbox as active. The email marketing platform's tracking pixels (routed through px[.]anteriad[.]com) would record an open event, confirming the address is live and the recipient engaged. Second, it establishes a communication pattern. A CFO who receives and occasionally reads vendor newsletters from this "brand" may be more receptive to a follow-on message with a more aggressive payload. Third, if the CFO or a finance team member clicks through and submits a contact or inquiry form on the linked product pages, the attacker captures a confirmed identity.
In this case, the linked URLs resolved to what appeared to be legitimate product pages. No credential harvesting form was directly embedded in the email body. The domain and display name impersonation were the primary risk signals, consistent with a reconnaissance or trust-building phase rather than an immediate credential theft attempt.
The One-Letter Distance Between Legitimate and Attacker-Controlled
The distance between enterpriseinsights[.]com (a real domain) and entrpriseinsights[.]com (the attacker's domain) is a single character omission. In a display-name-forward email client view, where the full sending address is collapsed or truncated, that distinction disappears entirely. Most recipients see the display name. The sending address is secondary information that requires deliberate attention to verify.
This is not a novel technique. Typosquatting is well-documented and widely used. The specificity here is the combination: a domain registered years in advance (reducing age-based detection), a real B2B marketing platform used for delivery (ensuring authentication passes), and a high-value executive as the specific target. The attack was patient, methodical, and designed to look exactly like the ambient noise of business marketing communications that finance teams receive every week.
Themis, the IRONSCALES Adaptive AI engine, flagged this message through the combination of display name impersonation against a known vendor brand and the character-distance mismatch between the sending domain and the referenced brand identity. The impersonation flag (is_impersonation=true) was set based on that domain proximity analysis, even though no individual authentication check raised an alarm.
See Your Risk: Calculate how many threats your SEG is missing
Defensive Notes for Finance Teams
Defenders should add fuzzy domain matching to their inbound email analysis, specifically looking for domains that differ by one or two characters from known vendor names. WHOIS age alone is insufficient, because long-registered domains can be reactivated. The combination of a privacy-protected registrant, no public web presence, and a domain that resembles a known brand within one edit-distance is a meaningful risk cluster.
Finance leaders should also be aware that a vendor newsletter that appears low-risk may function as the first stage of a targeted campaign. Confirming that a CFO mailbox is reachable and the executive opens this category of email is actionable intelligence for the next step.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sending Domain | entrpriseinsights[.]com | Typosquat of "enterpriseinsights" (missing second "e") |
| Sender Address | anteriad@email[.]entrpriseinsights[.]com | Impersonates Anteriad B2B marketing brand |
| Tracking Domain | px[.]anteriad[.]com | Legitimate Anteriad tracking pixel (not attacker-controlled) |
| WHOIS: Registered | 2018-01-02 | Long-aged domain; registrant data privacy-protected |
| WHOIS: Updated | 2025-11-03 | Reactivation or reconfiguration before campaign |
MITRE ATT&CK Mapping
| Technique | ID | Relevance |
|---|
| Acquire Infrastructure: Domains | T1583.001 | Typosquat domain registered 7+ years in advance, reactivated |
| Impersonation | T1656 | Display name and domain impersonate known B2B vendor brand |
| Phishing: Spearphishing Link | T1566.002 | CFO targeted via ESP-delivered newsletter with tracking infrastructure |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
