The email passed every authentication check. DKIM: pass. SPF: pass. DMARC: pass. From the gateway's perspective, it was a clean message from a verified sender at a real company.
The problem is that the company sending the email had nothing to do with what was in it.
Inside the message: image-only content rendered as official correspondence from a Fortune 500 hospitality company, complete with a senior director's name and title in the signature. The actual sender was a mid-size engineering firm with no connection to hospitality at all. And the links inside led to a credential harvesting page hosted on Microsoft Sway, a service most URL filters treat as fully trusted because it lives on sway[.]office[.]com.
This is vendor email compromise (VEC), and it is one of the cleaner execution examples we have seen recently.
Get a Demo: See how IRONSCALES detects and stops vendor email compromise attacks
The authentication picture here is textbook VEC. The attacker gained access to a legitimate email account at the engineering firm, most likely via a cloud-based account compromise given the originating IP (more on that below). Once inside, they used the real account to send outbound phishing. The Return-Path and From headers align cleanly. The domain passes SPF for the sending IP. DKIM signs correctly for the sender's domain.
This is the core VEC problem: authentication was designed to verify that a message actually came from the server it claims to originate from, not that the person sending it is who the content implies. A compromised account exploits trust that was legitimately earned. DMARC management and monitoring catches domain spoofing. It does not catch a bad actor using a real account.
According to the FBI Internet Crime Complaint Center's 2023 Internet Crime Report, Business Email Compromise (BEC), which includes account compromise scenarios like this one, generated over $2.9 billion in reported losses in 2023 alone, more than any other cybercrime category. The same report notes that BEC increasingly involves compromised third-party vendor accounts rather than direct executive impersonation, a shift that makes authentication-based defenses less reliable as the primary line of detection.
The originating IP, 20[.]83[.]171[.]190, is an Azure IP range. That detail matters. Azure IPs showing up as the originating source in a VEC attack strongly suggests the attacker accessed the victim mailbox through Microsoft's cloud infrastructure, either via a stolen session token, a password spray, or credential stuffing against a cloud email portal. There is no on-premises mail server in the picture. The attacker authenticated to the cloud tenant and sent mail directly.
This maps to MITRE ATT&CK T1586.002 (Compromise Accounts: Email Accounts), the technique describing adversary pre-positioning through legitimate account compromise before launching phishing operations. The follow-on delivery is T1566.002 (Phishing: Spearphishing Link), and because the compromised account belongs to a vendor with existing business relationships, the attack has characteristics of T1534 (Internal Spearphishing), using a trusted third-party relationship to lend credibility.
The actual phishing destination was Microsoft Sway. Two URLs were embedded in the message:
hxxps://sway[.]office[.]com/fFelVTHmyd85cGRihxxps://sway[.]cloud[.]microsoft/fFelVTHmyd85cGRiSway is a Microsoft publishing service. It hosts presentations, documents, and pages on Microsoft-owned infrastructure. Most URL reputation systems do not flag sway[.]office[.]com as malicious because it is not. Microsoft itself has acknowledged Sway's abuse as a phishing delivery platform, noting in threat intelligence reporting that attackers frequently abuse trusted productivity services precisely because they are on allowlists. Hosting credential collection on legitimate infrastructure is a well-documented technique for bypassing gateway URL scanning.
See Your Risk: Find out how many threats your email gateway is missing each month
Several design choices in this attack compounded the detection difficulty beyond the authentication bypass.
Image-only content. The email body contained almost no plaintext. The visible content, including the hospitality company branding, the senior director's name and title, and the call-to-action directing recipients to the Sway link, was rendered via embedded images (cid:image001.png and cid:image002.png). This defeats content-based filtering that relies on scanning text for phishing language patterns. According to Verizon's 2024 Data Breach Investigations Report, techniques that evade text-based analysis have become increasingly common in targeted phishing campaigns, contributing to a continued high phishing-as-initial-access rate across data breach cases.
BCC delivery. The To and CC headers on the message showed the engineering firm's own address, not the actual recipients at the regional services organization being targeted. Real delivery went via BCC. This hides the target list from anyone reviewing the message headers and obscures the campaign's scope. It also means a recipient scanning the visible headers would see an email ostensibly addressed to the sender, not to them, an odd detail that can go unnoticed in a busy inbox.
Brand identity mismatch. The sender's domain belongs to an engineering firm. The email content impersonates a Fortune 500 hospitality company. These two things cannot both be true, but without a system that checks for this kind of cross-identity inconsistency, the mismatch is easy to miss. Gateway-level filtering checks whether the sending domain is on a blocklist and whether it passes authentication. It does not check whether the email's branding matches the sender's known identity.
Repeated and malformed signature blocks. The formatting showed multiple signature iterations with structural anomalies typical of phishing kit templates. A human reviewer looking closely would notice. Most inboxes do not get that kind of scrutiny.
Themis flagged the message at 59% confidence, labeling it for Credential Theft and VIP Recipient review. The confidence score reflects the absence of a definitive single signal in favor of a cluster of weaker indicators: first-time sender from a domain with no prior relationship to the recipient organization, image-heavy construction, header recipient discrepancy, and brand identity inconsistency. IRONSCALES' Adaptive AI weighs these behavioral signals together, which is how the detection held even without a URL reputation hit on the Sway links themselves.
| Type | Indicator | Context |
|---|---|---|
| IP | 4[.]36[.]33[.]107 | Sending IP, SPF pass |
| IP | 20[.]83[.]171[.]190 | X-Originating-IP, Azure infrastructure, likely attacker cloud access point |
| URL | hxxps://sway[.]office[.]com/fFelVTHmyd85cGRi | Microsoft Sway credential harvesting page |
| URL | hxxps://sway[.]cloud[.]microsoft/fFelVTHmyd85cGRi | Alternate Sway URL, same destination |
The authentication picture in this attack is clean by design. Trying to catch it with SPF, DKIM, and DMARC alone is not a realistic strategy because the attacker did not need to break any of those controls.
The signal that matters here is behavioral. A message where the sending domain's known identity does not match the branding in the email content, arriving from an account with no prior contact history, with image-only construction and a BCC delivery pattern, is suspicious regardless of what DMARC says. These are the signals that behavioral AI-based email security is designed to surface.
Specific recommendations for your security operations:
sway[.]office[.]com as inherently trusted, you have a gap. Sandboxing or rendering Sway URLs at click time, not just at delivery, closes that gap.The IBM Cost of a Data Breach 2024 report puts the average cost of a credential-based breach at $4.81 million globally, with the detection and containment timeline for attacks involving valid credentials running significantly longer than those involving malware. The adversaries in this attack used a legitimate account, a legitimate Microsoft service, and a legitimate brand to move undetected. The leverage is entirely in the behavioral signals, and catching it requires a detection model that prioritizes those signals over infrastructure checks.
IRONSCALES' account takeover protection and business email compromise protection address exactly the gap this attack exploits: the space between passing authentication and actually being what it claims to be.
Try It Free: Start a free trial of IRONSCALES and catch what your gateway misses