The email arrived at the finance department of a global industrial distributor and landed in the CFO's inbox. On the surface, it looked like a standard business intelligence newsletter: formatted HTML, corporate branding, recognizable logos, calls-to-action pointing to product pages. The sending domain passed authentication. The display name read as a known vendor.
One detail was off. The sending domain was entrpriseinsights[.]com, missing the second "e" in "enterprise."
That single omitted letter was the entire attack.
The message was sent through a legitimate email marketing platform, routing the message from the anteriad@email[.]entrpriseinsights[.]com address. Anteriad is a real B2B data and media company. The email was formatted to impersonate a newsletter from a recognizable vendor brand.
WHOIS data on entrpriseinsights[.]com shows the domain was registered in January 2018, with a registrant update in November 2025. The registrant data is privacy-protected. There is no public-facing website associated with the domain. The January 2018 registration date makes this a long-standing piece of infrastructure, not a freshly minted one-use domain. Long registration age reduces the chance of age-based blocking while the 2025 update suggests the attacker reactivated or reconfigured the domain for a new campaign.
Because the sending domain was properly configured with the email marketing platform's SPF and DKIM records, both checks passed cleanly. The email spoofing signal was visible only to analysis comparing the sending domain character-by-character against the brand name it claimed to represent.
The recipient was the CFO at a finance function within the distributor's organization. Finance executives are standard high-value targets in spear-phishing campaigns. Even in cases where the initial email carries no immediate credential harvesting component, reaching a CFO inbox with a convincing impersonation serves several purposes for an attacker.
First, it validates the mailbox as active. The email marketing platform's tracking pixels (routed through px[.]anteriad[.]com) would record an open event, confirming the address is live and the recipient engaged. Second, it establishes a communication pattern. A CFO who receives and occasionally reads vendor newsletters from this "brand" may be more receptive to a follow-on message with a more aggressive payload. Third, if the CFO or a finance team member clicks through and submits a contact or inquiry form on the linked product pages, the attacker captures a confirmed identity.
In this case, the linked URLs resolved to what appeared to be legitimate product pages. No credential harvesting form was directly embedded in the email body. The domain and display name impersonation were the primary risk signals, consistent with a reconnaissance or trust-building phase rather than an immediate credential theft attempt.
The distance between enterpriseinsights[.]com (a real domain) and entrpriseinsights[.]com (the attacker's domain) is a single character omission. In a display-name-forward email client view, where the full sending address is collapsed or truncated, that distinction disappears entirely. Most recipients see the display name. The sending address is secondary information that requires deliberate attention to verify.
This is not a novel technique. Typosquatting is well-documented and widely used. The specificity here is the combination: a domain registered years in advance (reducing age-based detection), a real B2B marketing platform used for delivery (ensuring authentication passes), and a high-value executive as the specific target. The attack was patient, methodical, and designed to look exactly like the ambient noise of business marketing communications that finance teams receive every week.
Themis, the IRONSCALES Adaptive AI engine, flagged this message through the combination of display name impersonation against a known vendor brand and the character-distance mismatch between the sending domain and the referenced brand identity. The impersonation flag (is_impersonation=true) was set based on that domain proximity analysis, even though no individual authentication check raised an alarm.
See Your Risk: Calculate how many threats your SEG is missing
Defenders should add fuzzy domain matching to their inbound email analysis, specifically looking for domains that differ by one or two characters from known vendor names. WHOIS age alone is insufficient, because long-registered domains can be reactivated. The combination of a privacy-protected registrant, no public web presence, and a domain that resembles a known brand within one edit-distance is a meaningful risk cluster.
Finance leaders should also be aware that a vendor newsletter that appears low-risk may function as the first stage of a targeted campaign. Confirming that a CFO mailbox is reachable and the executive opens this category of email is actionable intelligence for the next step.
| Type | Indicator | Context |
|---|---|---|
| Sending Domain | entrpriseinsights[.]com | Typosquat of "enterpriseinsights" (missing second "e") |
| Sender Address | anteriad@email[.]entrpriseinsights[.]com | Impersonates Anteriad B2B marketing brand |
| Tracking Domain | px[.]anteriad[.]com | Legitimate Anteriad tracking pixel (not attacker-controlled) |
| WHOIS: Registered | 2018-01-02 | Long-aged domain; registrant data privacy-protected |
| WHOIS: Updated | 2025-11-03 | Reactivation or reconfiguration before campaign |
| Technique | ID | Relevance |
|---|---|---|
| Acquire Infrastructure: Domains | T1583.001 | Typosquat domain registered 7+ years in advance, reactivated |
| Impersonation | T1656 | Display name and domain impersonate known B2B vendor brand |
| Phishing: Spearphishing Link | T1566.002 | CFO targeted via ESP-delivered newsletter with tracking infrastructure |
| Attack | What happened |
|---|---|
| The U.S. Bank Email That Came From a Lawyer Directory and Passed Every Authentication Check | A fully authenticated email from lawyerlegion[.]com displayed pixel-perfect U.S. |
| Cloudflare Blocked the Page, But the Email Still Landed: A .vu TLD Phishing Domain That Slipped Through | A phishing email impersonating an insurance adjuster used an obscure Vanuatu (.vu) TLD for its payload links. |
| AT&T Brand, Third-Party Infrastructure, and a $25 Visa Card That Goes Nowhere Good | An email claiming to be from AT&T Business arrived from a third-party campaign platform that passed SPF, DKIM, and DMARC for its own domain, not AT&T's. |
| The Curiosity Lure Sent From a Compromised Moroccan Training Account | A phishing email from a compromised Moroccan vocational training account used exact display-name impersonation. |
| Full Authentication, a Three-Week-Old Domain, and a Link Flagged Malicious | An email from a domain registered three weeks earlier passed SPF, DKIM, and ARC checks via Google infrastructure. |