Every Link Said U.S. Bank. Every Link Went Through Brevo.

The email carried U.S. Bank logos, regulatory footer text ("Equal Housing Lender. Member FDIC."), and links that appeared to point to usbank.com. The CTA invited the recipient to "Open Shared File" for a "secured attachment." It looked like a financial institution notification. It was sent from info@lawyerlegion[.]com.

SPF, DKIM, and DMARC all passed. For lawyerlegion[.]com, not for U.S. Bank. The DMARC policy on the sender domain was p=none, meaning no enforcement action would be taken even if authentication had failed. The message was transmitted through Brevo (formerly Sendinblue) infrastructure at gi[.]d[.]sender-sib[.]com (77[.]32[.]148[.]9).

The Links That Lied

Every link in the email displayed text suggesting usbank.com as the destination. Every link actually routed through baijdege[.]r[.]bh[.]d[.]sendibt3[.]com, a Brevo tracking redirect domain. This is how ESP abuse works at the link level: the platform's click-tracking system rewrites all URLs through its own redirect infrastructure, and the attacker controls both the visible anchor text and the redirect destination.

A recipient who hovered over the link would see the Brevo redirect URL, not usbank.com. But hovering is not default behavior for most users. What they see is anchor text that reads like a legitimate bank URL, embedded in an email with authentic bank branding. The gap between what the email displays and where the link actually goes is the entire attack.

A Template Running on Autopilot

The email body contained duplicated template blocks, sections of identical HTML repeated in the message, suggesting a mass-distribution kit with incomplete variable substitution. Low-quality template text and 1x1 tracking pixels were embedded throughout. No attachments accompanied the message despite the "shared file" pretext. The "secured attachment" existed only as a CTA leading through the redirect chain.

This is not a sophisticated campaign. It is a volume play. The branding is good enough to pass a quick glance. The impersonation relies on U.S. Bank's visual identity (logos, footer, color scheme) rather than technical spoofing of the bank's actual domain. The attacker does not need to compromise usbank.com when a p=none domain and Brevo's infrastructure provide a fully authenticated sending path.

See Your Risk: Calculate how many threats your SEG is missing

The Mismatch That Mattered

Authentication told the truth here, just not the truth the recipient needed. SPF, DKIM, and DMARC confirmed that lawyerlegion[.]com authorized this message through Brevo. They said nothing about whether the content was legitimately from U.S. Bank.

Themis flagged the brand/sender domain mismatch: U.S. Bank branding sent from a legal directory domain, a "shared file" CTA with no actual attachment, and link destinations inconsistent with the impersonated institution. The email was quarantined based on the behavioral pattern, not the authentication result.

Indicators of Compromise

MITRE ATT&CK Mapping