The email carried U.S. Bank logos, regulatory footer text ("Equal Housing Lender. Member FDIC."), and links that appeared to point to usbank.com. The CTA invited the recipient to "Open Shared File" for a "secured attachment." It looked like a financial institution notification. It was sent from info@lawyerlegion[.]com.
SPF, DKIM, and DMARC all passed. For lawyerlegion[.]com, not for U.S. Bank. The DMARC policy on the sender domain was p=none, meaning no enforcement action would be taken even if authentication had failed. The message was transmitted through Brevo (formerly Sendinblue) infrastructure at gi[.]d[.]sender-sib[.]com (77[.]32[.]148[.]9).
Every link in the email displayed text suggesting usbank.com as the destination. Every link actually routed through baijdege[.]r[.]bh[.]d[.]sendibt3[.]com, a Brevo tracking redirect domain. This is how ESP abuse works at the link level: the platform's click-tracking system rewrites all URLs through its own redirect infrastructure, and the attacker controls both the visible anchor text and the redirect destination.
A recipient who hovered over the link would see the Brevo redirect URL, not usbank.com. But hovering is not default behavior for most users. What they see is anchor text that reads like a legitimate bank URL, embedded in an email with authentic bank branding. The gap between what the email displays and where the link actually goes is the entire attack.
The email body contained duplicated template blocks, sections of identical HTML repeated in the message, suggesting a mass-distribution kit with incomplete variable substitution. Low-quality template text and 1x1 tracking pixels were embedded throughout. No attachments accompanied the message despite the "shared file" pretext. The "secured attachment" existed only as a CTA leading through the redirect chain.
This is not a sophisticated campaign. It is a volume play. The branding is good enough to pass a quick glance. The impersonation relies on U.S. Bank's visual identity (logos, footer, color scheme) rather than technical spoofing of the bank's actual domain. The attacker does not need to compromise usbank.com when a p=none domain and Brevo's infrastructure provide a fully authenticated sending path.
See Your Risk: Calculate how many threats your SEG is missing
Authentication told the truth here, just not the truth the recipient needed. SPF, DKIM, and DMARC confirmed that lawyerlegion[.]com authorized this message through Brevo. They said nothing about whether the content was legitimately from U.S. Bank.
Themis flagged the brand/sender domain mismatch: U.S. Bank branding sent from a legal directory domain, a "shared file" CTA with no actual attachment, and link destinations inconsistent with the impersonated institution. The email was quarantined based on the behavioral pattern, not the authentication result.
| Type | Indicator | Context |
|---|---|---|
| Sender | info@lawyerlegion[.]com | Display name impersonated a banking contact |
| Sending IP | 77[.]32[.]148[.]9 | Brevo/Sendinblue infrastructure (gi[.]d[.]sender-sib[.]com) |
| Redirect Domain | baijdege[.]r[.]bh[.]d[.]sendibt3[.]com | Brevo click-tracking redirect (all links routed here) |
| Brand Impersonated | U.S. Bank | Logos, regulatory footer text, link anchor text |
| DMARC Policy | p=none | lawyerlegion.com, no enforcement |
| Technique | ID | Context |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | "Open Shared File" CTA routing through Brevo redirect chain |
| Establish Accounts: Web Services | T1583.006 | Brevo/Sendinblue account used as authenticated sending and redirect platform |
| Masquerading: Match Legitimate Name or Location | T1036.005 | U.S. Bank logos, regulatory footer, and link text impersonating usbank.com |
| Attack | What happened |
|---|---|
| The Aeroplan Bonus That Came From a Consumer ISP in Melbourne and Landed on a Staging Platform | A spoofed Air Canada Aeroplan email failed SPF, had no DKIM, and was sent from a consumer ISP in Melbourne. |
| The IRONSCALES Agreement Email That Came From Brazil and Left Canva's Fingerprints Everywhere | An email impersonating IRONSCALES referenced a shared agreement file and used IRONSCALES logos, but was sent from a Brazilian domain via Amazon SES. |
| Three Domains, Two Brands, One Frankenphish: The DocuSign Lure That Led to Mailchimp | A DocuSign-themed email stitched together Lloyds Banking Group Qualtrics survey blocks, resolved its CTA to Mailchimp. |
| The DocuSign That Lived on an S3 Bucket (and Couldn't Decide Who Sent It) | A DocuSign phishing email passed SPF, DKIM, and DMARC for a real K-12 school district domain. |
| The Subdomain That Fused Two Trusted Brands Into One Convincing Lie | Attackers fused two real brand names into a single subdomain, routed the message through Zix infrastructure to inherit enterprise authentication. |