TL;DR An invoice payment diversion attack used a typosquatted Reply-To domain, leadsavingsofmissuori[.]com, swapping a single letter in 'Missouri' to create a nearly identical domain. Despite Microsoft assigning an SCL score of 8 and flagging embedded links as mixed/malicious, the email still delivered. The attack combined social engineering urgency with a 'Contact Us' link pointing to attacker infrastructure. Themis identified the behavioral anomaly between the envelope sender and the Reply-To domain, quarantining the message before any payment action occurred.
Severity: High Bec Invoice Fraud MITRE: T1566.001 MITRE: T1036.005
Swap one letter in a state name and you get a domain that looks right at a glance, passes casual inspection, and routes every reply straight to an attacker's mailbox. That is exactly what happened in April 2026, when IRONSCALES flagged an invoice payment diversion attempt targeting a U.S. financial services firm.
The Reply-To domain was leadsavingsofmissuori[.]com. The legitimate domain was leadsavingsofmissouri[.]com. The difference: a missing "o" in "Missouri," turning it into "Missuori." One character. That single transposition was the entire technical investment required to intercept a payment conversation.
Typosquatting is not a new technique. But its persistence in Business Email Compromise (BEC) campaigns reflects how effective it remains. The FBI IC3 2024 Annual Report recorded $2.9 billion in BEC losses, and domain impersonation remains the most common delivery mechanism. According to the Verizon 2024 Data Breach Investigations Report, 68% of breaches involved a human element, with pretexting and social engineering driving the majority of financial fraud.
A Spam Score of 8, and It Still Landed
Microsoft assigned this email an SCL (Spam Confidence Level) of 8. On a scale where 5 or higher typically routes to junk, an 8 represents high confidence spam. The platform's own content analysis flagged the embedded "Contact Us" link as mixed/malicious.
And the email still delivered.
This is the gap between scoring and enforcement. SCL is an assessment, not a verdict. Organizational transport rules, tenant-level policies, and allow lists can all override what the spam filter recommends. In environments where invoice communications flow heavily through email, aggressive spam filtering risks blocking legitimate payment correspondence. Attackers know this. They specifically target financial communication workflows because those workflows demand permissive delivery policies.
The Microsoft Digital Defense Report 2024 noted that BEC actors increasingly exploit the operational tension between security controls and business continuity. Organizations that relax filtering rules for financial communications create exactly the delivery window these campaigns need.
The Anatomy of a One-Letter Redirect
The email arrived with a generic invoice payment subject line and minimal body content. No attachments. No credential harvesting links in the traditional sense. The social engineering played out across two vectors.
First, the Reply-To header. Every reply the recipient sent would land in the attacker's inbox at leadsavingsofmissuori[.]com, not the legitimate Missouri-based organization. The attacker's next move would be a politely worded request to update payment details, redirect a wire transfer, or confirm a new bank account. Standard BEC playbook.
Second, a "Contact Us" link embedded in the body. Microsoft's link analysis classified it as mixed/malicious, which means the URL pointed to infrastructure with indicators of compromise. This provided a secondary channel: if the recipient clicked instead of replying, they would reach attacker-controlled infrastructure directly.
The combination is deliberate. Reply-To captures passive responses. The embedded link captures active engagement. Either path leads to the attacker.
See Your Risk: Calculate how many threats your SEG is missing
Why Traditional Filters Miss the Letter Swap
Reputation-based detection struggles with typosquat domains because these domains are often newly registered, have no sending history (positive or negative), and are used for a single campaign before being discarded. There is nothing in the SPF record, DKIM signature, or DMARC policy of a freshly minted domain that marks it as malicious. It is technically clean.
Fuzzy domain matching, where filters compare incoming domains against a list of known-good domains for visual similarity, helps in some cases. But it requires that the legitimate domain is already in the comparison set. For a regional financial services organization, that domain may never have been registered as a protected brand.
The MITRE ATT&CK framework classifies this under T1036.005 (Masquerading: Match Legitimate Name or Location), and T1566.001 (Phishing: Spearphishing Link) covers the embedded malicious URL. Both techniques exploit the gap between what automated filters evaluate (authentication, reputation, content patterns) and what they cannot evaluate (intent, context, relationship history).
The Behavioral Signal That Caught It
Themis, the IRONSCALES Adaptive AI, flagged this message based on a cluster of behavioral indicators: a first-time sender to this recipient, a Reply-To domain that differed from the From domain by a single character, and an invoice payment pretext targeting a role with financial authority. None of those signals individually would block a message. Together, they formed a pattern that content-based filtering alone would never assemble.
The message was quarantined before the recipient could reply or click.
Across the IRONSCALES global community of over 35,000 security professionals, typosquat-based BEC campaigns remain one of the most reported attack types. The IBM Cost of a Data Breach 2024 report found that BEC-initiated breaches carried an average cost of $4.88 million, with organizations that lacked AI-based detection taking 75 days longer to contain the incident.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Reply-To Domain | leadsavingsofmissuori[.]com | Typosquatted domain (missing "o" in Missouri) |
| Legitimate Domain | leadsavingsofmissouri[.]com | Impersonated organization |
| Link Classification | Mixed/Malicious | Microsoft classification of embedded "Contact Us" link |
| SCL Score | 8 | High spam confidence, still delivered |
| MITRE Technique | T1036.005 | Masquerading: Match Legitimate Name or Location |
| MITRE Technique | T1566.001 | Phishing: Spearphishing Link |
What One Letter Costs
The attacker registered one domain, composed one email, and waited for one reply. The entire operation costs less than $15 and takes under an hour to execute. The potential payout, if a single invoice payment diverts, can reach six figures.
Organizations running DMARC monitoring should consider adding typosquat surveillance for their own domain variants. But the defensive priority is clear: behavioral analysis that evaluates Reply-To mismatches, first-time sender patterns, and financial pretext indicators at the point of delivery. Authentication protocols verify infrastructure. They do not verify intent. And for a one-letter domain swap, intent is the only thing that separates a legitimate email from a stolen payment.
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 30,000+ security professionals. Each post breaks down one attack — what it looked like, why it worked, and what you can do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
