TL;DR Attackers sent a cross-brand impersonation email through the Brevo (Sendinblue) ESP, passing SPF, DKIM, DMARC, and Microsoft compauth with a perfect score of 100. The message displayed U.S. Bank logos and branding while originating from lawyerlegion[.]com. The primary 'Open Shared File' CTA passed through a Brevo tracking redirect, then through Cisco Secure Web, then through an esvalabs sandbox wrapper, before resolving to 3dsoiutions[.]com, a typosquatted domain swapping the letter L for an uppercase I. Each defensive layer in the redirect chain lent legitimacy to the next, creating a trust stack that obscured the final malicious destination.
Severity: High Credential Harvesting Impersonation Cross Brand Impersonation MITRE: {'id': 'T1566.002', 'name': 'Phishing: Spearphishing Link'} MITRE: {'id': 'T1656', 'name': 'Impersonation'} MITRE: {'id': 'T1583.001', 'name': 'Acquire Infrastructure: Domains'}
The email displayed the U.S. Bank logo, the Equal Housing Lender seal, and the address of their Minneapolis headquarters. It referenced a "secured attachment" and asked the recipient to click "Open Shared File." SPF passed. DKIM passed. DMARC passed. Microsoft returned compauth=100, a perfect authentication score.
The sending domain was lawyerlegion[.]com. A lawyer directory. Not a bank.
Microsoft even surfaced a first-time sender warning at the top of the message: "You don't often get email from info@lawyerlegion[.]com." But the authentication stack had already given the message a clean bill of health, and the warning did nothing to stop delivery. This is what cross-brand impersonation looks like when it is built on legitimate infrastructure.
A Law Firm Directory Wearing a Bank's Uniform
The From header read "Ronald Marquez" with the address info@lawyerlegion[.]com. The message was dispatched through Brevo (formerly Sendinblue), a legitimate email marketing platform, via the sending host gi[.]d[.]sender-sib[.]com (IP 77[.]32[.]148[.]9). Because Brevo was authorized to send on behalf of the lawyerlegion[.]com domain, the SPF record validated. The DKIM signature verified with d=lawyerlegion[.]com. DMARC returned a pass.
This is the core limitation of email authentication. SPF, DKIM, and DMARC verify that the sending infrastructure is authorized for a given domain. They say nothing about whether the content of the email matches the brand it claims to represent. According to the FBI IC3 2024 Internet Crime Report, phishing and spoofing were the most reported cybercrime category with over 298,000 complaints filed in 2024. Attacks like this one exploit the gap between authentication and authorization.
The email itself was a mass campaign. The HTML contained duplicated template blocks, rendering the entire message twice in the same email body (a tell for reused phishing kits). Multiple 1x1 tracking pixels were embedded throughout. The language was vague and generic: "Thanks for choosing our service. A secured attachment has been made available for reference." No account numbers. No transaction details. No specifics that a real bank notification would contain.
Three Defensive Layers, Zero Blocks
The "Open Shared File" button is where the real attack hides. What appeared to be a link to a bank document was actually the first hop in a multi-layer redirect chain designed to exploit the trust that security tools place in each other.
Hop 1: Brevo tracking redirect. The CTA linked to baijdege[.]r[.]bh[.]d[.]sendibt3[.]com, a Brevo click-tracking subdomain (CNAME to r[.]mailin[.]fr). This is standard email marketing infrastructure. The recipient's email client sees a redirect host associated with a known, legitimate marketing platform.
Hop 2: Cisco Secure Web. The Brevo redirect passed through a Cisco Secure Web URL wrapper. Cisco's service is designed to inspect links at click time and block malicious destinations. In this case, the link was not blocked.
Hop 3: esvalabs sandbox. After Cisco, the chain continued through an esvalabs sandbox wrapper, another security scanning layer that evaluated the destination without flagging it.
Final destination: 3dsoiutions[.]com. At the end of the chain sat the credential harvesting page. The domain name is a visual typosquat: the lowercase L in "solutions" has been replaced with an uppercase I, making 3dsoiutions nearly indistinguishable from 3dsolutions at a glance. According to MITRE ATT&CK T1583.001 (Acquire Infrastructure: Domains), registering typosquatted domains is a well-documented technique for hosting credential harvesting and phishing infrastructure.
The redirect chain created a trust stack. Each legitimate service in the path validated the link as it passed through, and each wrapped URL became harder for both humans and scanners to evaluate. The Verizon 2024 Data Breach Investigations Report found that credentials were involved in 31% of all breaches over the past decade, making credential harvesting one of the most persistent and effective attack categories.
See Your Risk: Calculate how many threats your SEG is missing
The Campaign Fingerprints Hiding in the HTML
Beyond the redirect chain, the email carried several markers of a mass phishing operation. The recipient's name and email address appeared in an "Email intended for:" footer line, a personalization technique pulled from ESP merge fields. The footer also included real U.S. Bank disclaimers ("Equal Housing Lender. Member FDIC."), the bank's physical address (200 South 6th Street, Minneapolis, MN 55402), and links to "Privacy pledge," "Fraud help," and "Contact us," all routed through the same baijdege[.]r[.]bh[.]d[.]sendibt3[.]com tracking host rather than resolving to actual usbank[.]com pages.
A few real usbank[.]com URLs were mixed in, likely scraped from a genuine U.S. Bank email template. This blending of legitimate and attacker-controlled links is a deliberate tactic. Security tools that sample a subset of links in a message may test only the clean ones and give the email a pass. The Microsoft Digital Defense Report 2024 documents how attackers increasingly embed legitimate URLs alongside malicious ones to manipulate link reputation scoring.
The CISA phishing guidance advises organizations to train employees to verify unexpected requests through separate channels. That advice is sound but insufficient when the email passes every technical check, displays trusted branding, and wraps its payload inside three layers of security vendor infrastructure.
Why Authentication Alone Could Not Stop This
Themis, the IRONSCALES Adaptive AI engine, scored this message at 84% confidence for credential theft and flagged the recipient as a VIP target. The detection was not based on a failed authentication check or a known-bad URL. It was based on behavioral signals: the mismatch between the sending domain (a lawyer directory) and the visual brand (a major U.S. bank), the first-time sender relationship, the generic "shared file" lure directed at a high-value recipient, and the presence of redirect-wrapped CTAs that obscured the final destination.
Across the IRONSCALES global community of 35,000+ security professionals, cross-brand impersonation campaigns abusing ESPs like Brevo had already been flagged by other organizations, feeding threat intelligence that accelerated the classification.
This attack maps to MITRE ATT&CK T1656 (Impersonation) for the cross-brand deception and T1566.002 (Spearphishing Link) for the redirect-wrapped credential harvesting CTA. The combination of a legitimate ESP, a fully passing authentication stack, and a multi-hop redirect chain through actual security tools represents a technique set that authentication-dependent defenses cannot address. Detecting this attack requires analyzing what the email looks like, not just where it came from.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sending Domain | lawyerlegion[.]com | Legitimate lawyer directory domain abused via Brevo ESP |
| Sender Address | info@lawyerlegion[.]com | From address displaying "Ronald Marquez" |
| Sending IP | 77[.]32[.]148[.]9 | Brevo sending infrastructure (gi[.]d[.]sender-sib[.]com) |
| Tracking Host | baijdege[.]r[.]bh[.]d[.]sendibt3[.]com | Brevo click/open tracking subdomain (CNAME to r[.]mailin[.]fr) |
| Sandbox Wrapper | esvalabs[.]com | Security sandbox used as redirect hop |
| Credential Harvest Domain | 3dsoiutions[.]com | Typosquatted domain (L replaced with I) hosting credential harvesting page |
| DKIM Selector | d=lawyerlegion[.]com | DKIM signing domain via Brevo |
MITRE ATT&CK Mapping
| Technique | ID | Relevance |
|---|
| Phishing: Spearphishing Link | T1566.002 | Redirect-wrapped credential harvesting CTA targeting VIP recipient |
| Impersonation | T1656 | Cross-brand impersonation: lawyerlegion[.]com content branded as U.S. Bank |
| Acquire Infrastructure: Domains | T1583.001 | Typosquatted domain (3dsoiutions[.]com) for credential harvesting |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 30,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
