A line-of-credit approval email arrived at a mid-size industrial company. The subject referenced a specific LOC approval. The sender's display name matched a known sales representative at a commercial lending firm, and the from address looked right at a glance. It was not right. The domain contained one extra letter, an additional "s" buried in the middle of the company name. That single character was the entire attack.
The typosquat domain was registered and configured as a sending identity in Salesforce Marketing Cloud (ExactTarget). The message was transmitted through akz220[.]mta[.]exacttarget[.]com at IP 128[.]245[.]247[.]220. SPF passed. DKIM passed with a signature aligned to the typosquat domain. DMARC passed. CompAuth returned reason=100, the highest confidence score.
Microsoft's own heuristics scored the message SCL=9 with a safety tip of SFTY:9.25, flagging it as high-confidence spam. But authentication told the opposite story. Every protocol designed to verify sender legitimacy confirmed the message was authorized. The contradiction highlights a persistent gap: authentication validates that a domain authorized a message, not that the domain itself is trustworthy.
The email contained Pardot tracking links routed through go[.]pardot[.]com, a Salesforce-owned domain. Those links redirected to the legitimate lender's website at a /quote/ path. The display text in the email showed the real company's domain. A recipient checking the visible link text would see the correct URL. Only inspection of the underlying HTML would reveal the Pardot redirect chain originating from the typosquat domain's marketing instance.
This is a deliberate layering technique. The attacker did not need a fake landing page. The goal was to establish credibility through a real destination while routing the initial engagement (clicks, opens, reply) through infrastructure tied to the typosquat domain. The reply-to address pointed to the same typosquat domain, meaning any response would go directly to the attacker.
See Your Risk: Calculate how many threats your SEG is missing
Themis flagged the recipient as a VIP and scored the message at 50% confidence. Four mailboxes were quarantined. The signals that triggered detection were not authentication failures (there were none) but behavioral indicators: a first-time sender using a domain visually similar to a known vendor, combined with a financial action request directed at a high-value recipient.
The attacker did everything right from an authentication standpoint. The domain was properly configured. The ESP was legitimate. The DKIM signature was valid. The links pointed to real infrastructure. What the attacker could not fake was the relationship history between the sender and the recipient's organization, the kind of context that only emerges from longitudinal mailbox-level analysis.
When a financial action request arrives from a first-time sender with full authentication pass, inspect the domain character by character. Verify that the sending domain matches your known vendor list and that reply-to addresses resolve to the same domain on file, not a near-identical variant.
| Type | Indicator | Context |
|---|---|---|
| Typosquat Domain | northsshorescapitals[.]com | One extra "s" in company name |
| Legitimate Domain | northshorescapital[.]com | Real commercial lender |
| Sender Email | amy.campbell@northsshorescapitals[.]com | From address on typosquat domain |
| Reply-To | amy.campbell@northsshorescapitals[.]com | Reply-to on typosquat domain |
| ESP Relay | akz220[.]mta[.]exacttarget[.]com | Salesforce Marketing Cloud MTA |
| Sending IP | 128[.]245[.]247[.]220 | ExactTarget sending IP |
| Tracking Domain | go[.]pardot[.]com | Pardot tracking redirect |
| Redirect Target | northshorescapital[.]com/quote/ | Legitimate lender's quote page |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Pardot tracking links to legitimate site as credibility layer |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Display name impersonation of known sales representative |
| Acquire Infrastructure: Domains | T1583.001 | Purpose-registered typosquat domain with ESP integration |
| Attack | What happened |
|---|---|
| The Subdomain That Fused Two Trusted Brands Into One Convincing Lie | Attackers fused two real brand names into a single subdomain, routed the message through Zix infrastructure to inherit enterprise authentication. |
| The CDR Sanitization That Broke the Only Signal That Mattered | A Dropbox brand impersonation email passed SPF, DKIM, and DMARC at the sending hop. |
| The Email That Passed Every Security Check (Because Adobe Sent It) | A phishing campaign targeting school district staff used Adobe's own sending infrastructure, real DKIM signatures. |
| When the Sender Domain Is Also the Phishing Kit Host: Dual-Purpose Domain Compromise | An attacker compromised a legitimate manufacturing company domain and used it two ways at once: as the authenticated sending address and as the host for... |
| The Datadog Alert That Came From the Wrong Domain: Authenticated Brand Impersonation With All Links Pointing to Real Infrastructure | A fully authenticated Datadog monitor alert arrived from dtdg.co, not datadoghq.com. |