The sender address read "contracts" at first glance. It was not. The local-part mixed Cyrillic characters with Latin ones and embedded zero-width joiners between letter pairs, creating a string that looks identical to "contracts" in every mail client but matches nothing in any blocklist or string-matching rule. The domain, yesmax[.]fr, was registered in April 2023 through IONOS SE with privacy-protected WHOIS. The message passed SPF, DKIM, and DMARC cleanly through Brevo marketing infrastructure.
Three evasion layers. One email. Zero scannable links.
The From header displayed "Melody Marsh | Contracts" with an obfuscated address at yesmax[.]fr. Five characters in the local-part were Cyrillic substitutions, and three zero-width joiners (U+200D) were inserted between letter boundaries. This technique defeats every text-based matching approach: regex filters, domain-pair rules, display-name blocklists, and substring searches. The characters render identically in Outlook, Gmail, Apple Mail, and every mobile client. Only a Unicode code-point inspection reveals the manipulation.
The email was relayed through smtp-relay[.]sendinblue[.]com and tracking infrastructure at hb[.]d[.]sender-sib[.]com (IP 77[.]32[.]148[.]28). DKIM was signed with selector brevo2 under yesmax[.]fr. Because Brevo is a legitimate marketing platform, the authentication stack treated this as an authorized commercial send.
The message contained no clickable links in the body. The sole call to action was a QR code image, which concealed the destination URL from every gateway and email security tool that inspects hyperlinks in HTML source. A 1x1 tracking pixel loaded from a sendibt2[.]com redirector subdomain confirmed the mailbox was active and the message was rendered.
The subject line stated "Review and Sign: Service Agreement," but the body referenced "reporting files available for internal review." This content mismatch is consistent with a recycled phishing kit where the subject line template was not updated to match the body payload. Microsoft's own scoring flagged the message at SCL=5 (SFV:SPM), but it was not quarantined by default.
Every static check passed. The authentication was legitimate. The sender address looked correct. The QR code could not be evaluated without image decoding. The signals that discriminated this message from a real contract notification were behavioral: a first-time sender with no prior relationship, a subject-body content mismatch, and QR-only engagement with no inline links. These are the patterns that Adaptive AI evaluates when authentication and content scanning see nothing wrong. Themis flagged the message and the mailbox was quarantined automatically.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sending Domain | yesmax[.]fr | Registered 2023-04-04, IONOS SE, privacy-protected WHOIS |
| Sending Relay | smtp-relay[.]sendinblue[.]com | Brevo marketing gateway |
| Tracking Host | hb[.]d[.]sender-sib[.]com | Brevo tracking infrastructure |
| Sending IP | 77[.]32[.]148[.]28 | Brevo relay IP |
| Image Host | sendibt2[.]com | 1x1 tracking pixel redirector subdomain |
| DKIM Selector | brevo2 | Signing domain: yesmax[.]fr |
| Auth Results | SPF: pass, DKIM: pass, DMARC: pass | Full authentication via marketing gateway |
| SCL/SFV | SCL=5 / SFV:SPM | Microsoft flagged as spam, not quarantined |
| Payload | QR code image (no inline links) | Destination URL concealed from URL scanners |
| Technique | ID | Relevance |
|---|---|---|
| Masquerading: Match Legitimate Name or Location | T1036.005 | Cyrillic homoglyphs in sender address mimic "contracts" |
| Phishing: Spearphishing Link | T1566.002 | QR code delivers concealed phishing URL |
| Obfuscated Files or Information | T1027 | Zero-width characters and Unicode substitution defeat string matching |