The email arrived from "Karim Abdullah (Procurement)" with a straightforward CTA: download a contract agreement. The display name carried a title. The subject line referenced a document. The button said "Download Agreement." Everything about the message was designed to look like a routine procurement workflow.
The sending address was ernest@chezlando[.]com, routed through SendGrid infrastructure at IP 149[.]72[.]123[.]24. SPF and DKIM both passed for SendGrid. But DMARC composite authentication failed for chezlando[.]com because SendGrid was not authorized to send on behalf of that domain. Microsoft flagged the message with a Spam Confidence Level of 6, classifying it as phishing.
The domain chezlando[.]com was registered in 2007 through a registrar in Kigali, Rwanda, with an admin contact email of kapibo24@gmail[.]com. This is the kind of ESP abuse pattern that splits authentication results: the infrastructure passes, but the domain alignment fails.
The email body referenced a file named "174291464_Contract_Quote_2025.doc" and instructed the recipient to download it. But there was no attachment. The only action available was the "Download Agreement" button, which pointed to a Vercel-hosted page: psychic-sipoman[.]vercel[.]app/?ref=[recipient-email].
The recipient's email address was embedded directly in the URL query parameter. When the target clicked, the phishing page received their identity before they entered a single keystroke. This personalization allows the credential harvesting form to pre-populate the email field, making the fake login page feel like a natural continuation of the document download process.
Vercel is a legitimate cloud platform used by millions of developers. Phishing pages hosted on vercel[.]app subdomains inherit the platform's domain reputation, which means URL scanners evaluating the link see a trusted hosting provider rather than attacker infrastructure.
This attack exploits a gap that many organizations do not monitor: the difference between ESP authentication and domain authentication. SendGrid's DKIM signature verified because SendGrid signed the message. SPF passed because the sending IP belonged to SendGrid's authorized range. But DMARC evaluates whether the authenticated domain aligns with the From header domain, and chezlando[.]com had no relationship with SendGrid's infrastructure.
The result was compauth=fail, a signal that the visible sender could not be verified. Microsoft's filters caught this and assigned SCL=6. But in environments where DMARC failures are logged rather than enforced, this message would have reached the inbox with clean SPF and DKIM results masking the alignment failure.
Adaptive AI flagged the behavioral convergence: a first-time sender with a procurement display name, a phantom attachment reference, a Vercel-hosted credential harvesting link personalized with the recipient's email, and a DMARC failure that contradicted the otherwise clean ESP authentication.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender Email | ernest@chezlando[.]com | Claimed procurement sender |
| Sender Domain | chezlando[.]com | Registered 2007, Kigali, Rwanda (admin: kapibo24@gmail[.]com) |
| Sending IP | 149[.]72[.]123[.]24 | SendGrid infrastructure |
| Phishing URL | hxxps://psychic-sipoman[.]vercel[.]app/?ref=[recipient] | Vercel-hosted credential harvesting page |
| Referenced File | 174291464_Contract_Quote_2025.doc | Phantom attachment (not actually attached) |
| DMARC Result | compauth=fail | Domain alignment failure for chezlando[.]com |
| SCL | 6 | Microsoft phishing classification |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | CTA button directing to credential harvesting page |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Procurement display name impersonation |
| Phishing for Information: Spearphishing Link | T1598.003 | Personalized URL to collect credentials |
| Attack | What happened |
|---|---|
| The Subdomain That Fused Two Trusted Brands Into One Convincing Lie | Attackers fused two real brand names into a single subdomain, routed the message through Zix infrastructure to inherit enterprise authentication. |
| How ARC Re-Signing and an IP Allow-List Turned Three Authentication Failures Into SCL -1 | A phishing email claiming to be a OneDrive share from an outlook.com address originated from a county government mail server. |
| Every Link Said U.S. Bank. Every Link Went Through Brevo. | A U.S. |
| DMARC Said Reject, the Gateway Said Deliver: Anthem Notification With Broken Authentication and a Casino Helpdesk | An Anthem health spending account notification failed SPF, DKIM, and DMARC with p=reject. |
| SafeLinks Wrapped the Phishing URL With the Recipient's Name on It | Microsoft SafeLinks rewrote a phishing URL and embedded the recipient's email address into the redirect chain. |