The Funding Approval That Passed Every Authentication Check

A line-of-credit approval email arrived at a mid-size industrial company. The subject referenced a specific LOC approval. The sender's display name matched a known sales representative at a commercial lending firm, and the from address looked right at a glance. It was not right. The domain contained one extra letter, an additional "s" buried in the middle of the company name. That single character was the entire attack.

Full Authentication on a Fake Domain

The typosquat domain was registered and configured as a sending identity in Salesforce Marketing Cloud (ExactTarget). The message was transmitted through akz220[.]mta[.]exacttarget[.]com at IP 128[.]245[.]247[.]220. SPF passed. DKIM passed with a signature aligned to the typosquat domain. DMARC passed. CompAuth returned reason=100, the highest confidence score.

Microsoft's own heuristics scored the message SCL=9 with a safety tip of SFTY:9.25, flagging it as high-confidence spam. But authentication told the opposite story. Every protocol designed to verify sender legitimacy confirmed the message was authorized. The contradiction highlights a persistent gap: authentication validates that a domain authorized a message, not that the domain itself is trustworthy.

Pardot Links That Pointed to the Real Site

The email contained Pardot tracking links routed through go[.]pardot[.]com, a Salesforce-owned domain. Those links redirected to the legitimate lender's website at a /quote/ path. The display text in the email showed the real company's domain. A recipient checking the visible link text would see the correct URL. Only inspection of the underlying HTML would reveal the Pardot redirect chain originating from the typosquat domain's marketing instance.

This is a deliberate layering technique. The attacker did not need a fake landing page. The goal was to establish credibility through a real destination while routing the initial engagement (clicks, opens, reply) through infrastructure tied to the typosquat domain. The reply-to address pointed to the same typosquat domain, meaning any response would go directly to the attacker.

See Your Risk: Calculate how many threats your SEG is missing

What Behavioral Detection Sees

Themis flagged the recipient as a VIP and scored the message at 50% confidence. Four mailboxes were quarantined. The signals that triggered detection were not authentication failures (there were none) but behavioral indicators: a first-time sender using a domain visually similar to a known vendor, combined with a financial action request directed at a high-value recipient.

The attacker did everything right from an authentication standpoint. The domain was properly configured. The ESP was legitimate. The DKIM signature was valid. The links pointed to real infrastructure. What the attacker could not fake was the relationship history between the sender and the recipient's organization, the kind of context that only emerges from longitudinal mailbox-level analysis.

What to Watch For

When a financial action request arrives from a first-time sender with full authentication pass, inspect the domain character by character. Verify that the sending domain matches your known vendor list and that reply-to addresses resolve to the same domain on file, not a near-identical variant.

Indicators of Compromise

MITRE ATT&CK Mapping