The Vendor Compliance Email Where Every Link Was Real and Every Authentication Check Passed

The email passed every check that a security gateway is built to run. SPF passed. DKIM passed. DMARC passed. Compauth came back at 100, Microsoft's highest confidence score. The sending infrastructure was Salesforce, one of the most widely trusted email relay platforms in enterprise environments. Every link in the message body resolved to vendorpm[.]com or app.vendorpm[.]com, both legitimate domains belonging to a real vendor management platform. The attached PDF scanned clean.

There was nothing for a traditional gateway to flag. No malicious URL. No suspicious attachment. No authentication failure. No newly registered domain. The message looked, authenticated, and linked exactly like a real vendor onboarding request.

The problem was that it probably was not one.

The Compliance Onboarding Template

The subject line was bilingual: "Ensure Work with Morguard via VendorPM || Continuez a travailler avec Morguard via VendorPM." The body followed the same pattern, with English content mirrored in French. The language hit every compliance pressure point that vendor management teams respond to instinctively:

• "This is a time sensitive request"
• "Complete the required subscription"
• "Claim your VendorPM account"
• "Login to view and submit the compliance documentation requirements"

This is the vocabulary of legitimate vendor onboarding. Property management companies, facilities operators, and large enterprises use platforms like VendorPM to manage vendor compliance documentation, insurance certificates, and safety credentials. The phrasing in this email mirrors what a real onboarding invitation looks like, because the platform itself was real.

The attached PDF, titled "Morguard_VendorPM Compliance Letter EN (1).pdf" at 327 KB, scanned clean in sandbox analysis. The sandbox could not inspect the document's full content, but no malicious macros, scripts, or embedded objects were detected.

The Mismatch Hidden in the HTML

The sender presented as "Amy Gray" with the email address agray@vendorpm[.]com. The signature block at the bottom of the email displayed the same name and address. Everything appeared consistent on the surface.

The HTML source told a different story. The mailto hyperlink embedded in the signature did not target agray@vendorpm[.]com. It targeted jjung@vendorpm[.]com, a completely different person at the same domain.

This kind of mismatch is a hallmark of templated or assembled messages. When a human writes an email and adds their signature, the display text and the mailto link point to the same address because the signature was created by the sender. When a message is generated from a template, automated from a CRM workflow, or assembled by someone other than the displayed sender, the visible text and the underlying HTML can diverge.

In isolation, a display-to-mailto mismatch is a weak signal. Legitimate automated emails sometimes have similar inconsistencies due to shared mailbox configurations or CRM template errors. Combined with other behavioral signals in this case, it became a meaningful indicator.

See Your Risk: Calculate how many threats your SEG is missing

Salesforce as the Delivery Vehicle

The email was sent through Salesforce's transactional email infrastructure. The originating server was smtp-02a32ec7df4bef18b.core1.sfdc-58ktaz.mta.salesforce[.]com at IP 3[.]98[.]44[.]244. The Return-Path followed Salesforce's standard bounce address format: agray=vendorpm.com__...@...bnc.salesforce[.]com.

This is not attacker infrastructure. This is Salesforce. The same mail transfer agents that deliver legitimate CRM notifications, marketing emails, and transactional messages for hundreds of thousands of organizations worldwide. SPF passed because Salesforce's IPs are included in vendorpm[.]com's SPF record. DKIM passed with d=vendorpm[.]com because VendorPM has configured DKIM signing through Salesforce. DMARC passed because both SPF and DKIM aligned with the From domain.

When attackers use legitimate SaaS platforms as delivery infrastructure, the entire authentication layer becomes irrelevant for detection purposes. The email is genuinely sent from the platform it claims to be from. The authentication is not spoofed or forged. It is real. The question shifts from "is this email authentic?" to "is the person or process that triggered this email legitimate?"

Traditional gateways are not built to answer the second question.

The Targeting Signal

The email body contained an org-specific onboarding slug: [org-name]-98784-454-ex-[invite-id]. This is not a generic blast. This slug references a specific organization and what appears to be a specific account or invitation identifier within VendorPM's platform.

Targeted delivery through a legitimate vendor platform changes the threat calculus. A mass-blast phishing campaign using Salesforce infrastructure would use generic templates and random recipient lists. An email with an org-specific slug, a named compliance relationship (Morguard), and a specific attachment referencing that relationship has the structure of a targeted operation.

The bilingual formatting adds another data point. English-French bilingual compliance documents are standard in Canadian business environments, which is consistent with Morguard's operations (a Canadian real estate company). The templating itself, with content duplicated rather than natively translated, suggests automated generation rather than manual composition. Legitimate bilingual communications from Canadian companies typically flow from the same compliance platform that manages their vendor relationships. The question is whether the person who triggered this specific invitation was authorized to do so.

The Detection Surface That Remained

When every technical indicator comes back clean, the detection surface shrinks to behavioral analysis and relationship context. The signals that flagged this email for quarantine were not authentication results or URL reputation scores. They were patterns that only emerge when you evaluate the message against the recipient's communication history and organizational context.

First-time sender. The sender had no prior communication history with the recipient or the recipient's organization. Vendor compliance onboarding requests from unknown entities, particularly ones flagged as high risk by sender reputation models, warrant additional scrutiny.

VIP recipient targeting. Themis applied a VIP Recipient label, indicating the targeted mailbox belongs to a high-value individual within the organization. Compliance onboarding emails targeting VIP accounts from first-time senders represent a higher-risk combination than the same email targeting a general inbox.

Unverifiable business relationship. The email referenced a compliance relationship between Morguard and the recipient organization through VendorPM. This relationship could not be independently verified through public records or prior communication history. Legitimate vendor onboarding typically follows an established procurement or contracting process that produces discoverable context.

SCL 1. Despite perfect authentication, Microsoft's own scoring assigned SCL 1, which is above the SCL 0 that compauth 100 typically produces. Something in Microsoft's evaluation, likely the first-time sender signal, prevented the message from receiving full trusted-delivery treatment even with clean authentication.

Four mailboxes were quarantined based on the behavioral signal combination, not on any single technical indicator.

Recommendations

Vendor compliance and onboarding emails represent a growing attack surface because they carry inherent urgency, reference real business processes, and increasingly transit legitimate SaaS infrastructure.

1. Verify vendor onboarding requests out-of-band. When a compliance invitation arrives from a platform you do not have an existing relationship with, contact the purported requesting organization through independently obtained contact information. Do not use contact details from the email or its attachments.

1. Inspect HTML source on compliance emails from first-time senders. A display-to-mailto mismatch in the signature is a low-cost check that most recipients can perform. When the visible email address differs from the hyperlink target, the message warrants verification before any action. Organizations running account takeover protection should ensure that first-time sender signals from legitimate platforms still trigger behavioral review.

1. Treat bilingual templated content as a signal, not a guarantee. Bilingual formatting is standard in Canadian compliance communications, but automated duplication (identical structure in both languages, same placeholder patterns) can indicate template-driven generation by an unauthorized party using a legitimate platform.

1. Evaluate the business relationship before evaluating the email. If your organization does not have an active contracting or procurement process with the named parties, an unsolicited compliance onboarding request is suspicious regardless of how cleanly it authenticates.

The detection challenge in this case was not technical complexity. It was the absence of any traditional detection signal. When the infrastructure is real, the links are real, the attachment is clean, and the authentication is perfect, the only remaining question is whether the relationship is real. That question requires context that no gateway has access to by default.

Indicators of Compromise

MITRE ATT&CK: T1566.001 Spearphishing Attachment, T1566.002 Spearphishing Link, T1036.005 Masquerading: Match Legitimate Name or Location

Sources: IRONSCALES platform analysis; Verizon 2024 DBIR (68% of breaches involve human element; phishing remains primary initial access vector); FBI IC3 2024 Internet Crime Report (BEC losses exceeding $2.9 billion); Microsoft Digital Defense Report 2024 (trusted infrastructure abuse increasing); CISA Phishing Guidance