TL;DR An attacker registered a throwaway domain the same day they launched a Verizon rewards impersonation campaign against a mid-size equipment finance company. SPF, DKIM, and DMARC all failed at the Microsoft protection layer, yet the message reached the inbox with SCL=-1. The email body contained unrelated filler text about fixing a stuck kitchen drawer, a dead giveaway of sloppy template stitching. Three security layers (AppRiver, EdgePilot link wrapping, Microsoft protection) each partially evaluated the threat but none fully blocked it. IRONSCALES Adaptive AI flagged the attack at 83% confidence using sender risk signals, community intelligence, and behavioral analysis.
Severity: High Credential Theft Brand Impersonation MITRE: T1566.002 MITRE: T1583.001 MITRE: T1036
A finance team member at a mid-size equipment finance company opened an email about unclaimed Verizon reward points. The subject line read "Points update regarding your account." The sender appeared as "Verizon Updates." The body was branded with a "VERIZON CUSTOMER PORTAL" heading and claimed 2,840 unclaimed award points tied to Member ID VZ-8482-93L. A blue "Validate & Claim Now" button sat below a 72-hour deadline warning.
Halfway through the message, between the urgency language and the call to action, there was a paragraph about how to fix a stuck kitchen drawer.
The Drawer That Gave It Away
The kitchen drawer text is the kind of mistake that tells you exactly how this email was built. Attackers running high-volume campaigns use template systems that stitch together modular blocks: header branding, urgency language, CTA buttons, footer disclaimers. When a block gets misplaced or a placeholder never gets swapped out, artifacts from other templates bleed through. In this case, home improvement content landed in a Verizon rewards lure.
It is a sloppy error. But it did not stop the email from reaching the inbox.
The rest of the social engineering was competent enough. Fabricated specificity (a member ID, a precise point balance, a deadline of "Tomorrow at 11:59 PM") creates a sense of legitimacy that nudges recipients past surface-level skepticism. The FBI IC3 2024 Annual Report documented $2.77 billion in BEC losses, and reward-point credential harvesting feeds the same pipeline. Stolen credentials become account takeover vectors. Account takeover becomes wire fraud.
Three Layers, Three Partial Answers, Zero Blocks
The real story of this attack is not the phishing lure. It is how many security controls touched the email and how none of them stopped it.
The attacker sent from verizonpath@twinklystonexg[.]blog, a domain registered on Namecheap the same day the email was sent. Privacy-protected WHOIS. Cloudflare nameservers. DNSSEC unsigned. The domain's DMARC policy was set to p=quarantine, but the action taken was none. The Reply-To address diverged from the From address: verizonpath50@twinklystonexg[.]blog, a classic indicator of infrastructure that routes replies to a different handler than the one that sent the bait.
The email originated from IP 5[.]255[.]100[.]51 in the Netherlands (no reverse DNS) and routed through AppRiver's SecureTide gateway before reaching Microsoft 365. Here is where the authentication story splits.
At the AppRiver layer, SPF and DKIM were evaluated against the originating IP (5[.]255[.]100[.]51) and passed. AppRiver's ML model scored the message at 0.676 (67.6% suspicious), classified it as VALID, and forwarded it.
At the Microsoft protection layer, authentication was re-evaluated against the AppRiver relay IP (8[.]31[.]233[.]206). That IP is not authorized for twinklystonexg[.]blog. SPF failed. DKIM failed (body hash mismatch). DMARC failed. The composite authentication result returned compauth=none, reason=405.
Despite the triple failure, the email was delivered to the inbox with SCL=-1.
A relay gateway and a receiving gateway each made locally correct decisions that produced a globally wrong outcome. CISA's phishing guidance emphasizes defense in depth, but depth only works when each layer shares context with the next. AppRiver passed the message. Microsoft saw the failures but did not act on them. The recipient saw a branded Verizon email in their inbox.
See Your Risk: Calculate how many threats your SEG is missing
AppRiver's EdgePilot link protection added a third layer of almost-detection. The "Validate & Claim Now" link was rewritten through link[.]edgepilot[.]com for click-time scanning. But wrapping a URL is not the same as blocking it. The destination (hxxp://www[.]twinklystonexg[.]blog/akub8) was still accessible. The wrapping added a proxy without a verdict.
Same-Day Infrastructure, Zero Reputation History
The attacker's domain choice maps to T1583.001 (Acquire Infrastructure: Domains). Registering twinklystonexg[.]blog the same day as the attack means zero reputation history. No abuse reports. No blocklist entries. No historical DNS data for threat feeds to correlate against.
The Microsoft Digital Defense Report 2024 highlighted that newly registered domains remain a persistent evasion technique because reputation-based systems need historical data to function. Combined with privacy-protected WHOIS and Cloudflare's anycast DNS, the attacker created an identity that was technically valid but entirely disposable.
The IBM Cost of a Data Breach Report 2024 found that the average cost of a phishing-originated breach reached $4.88 million. Attacks like this one, where the credential harvesting page sits behind a same-day domain with no detection history, represent the first link in that chain.
What Caught It
IRONSCALES Adaptive AI classified this email as phishing at 83% confidence. Themis flagged two labels: Credential Theft and VIP Recipient.
The detection did not depend on authentication results or URL scanning. It depended on signals that exist outside the email itself.
Sender risk was high. The domain was new, the sender had no established communication pattern with the recipient organization, and the From/Reply-To divergence matched known phishing infrastructure patterns. Community intelligence from 35,000+ security professionals across the IRONSCALES network confirmed that similar Verizon reward-point campaigns had been reported and classified as phishing by other organizations. That cross-organizational evidence is something no single-tenant gateway can replicate.
The email was quarantined. The credential harvesting page behind twinklystonexg[.]blog/akub8 never received a click from this organization.
When Every Layer Sees Part of the Problem
This case is a study in partial detection across a security stack. AppRiver's ML model scored the email at 67.6% suspicious but classified it as valid. Microsoft's authentication layer failed SPF, DKIM, and DMARC but delivered the message anyway. EdgePilot wrapped the malicious link but did not block it. Each system identified a signal. None acted decisively on it.
The NIST definition of phishing frames these attacks as techniques that "lure victims into revealing sensitive information." The lure here was crude. The infrastructure was disposable. The authentication was damning. And still, without behavioral detection operating on sender relationships and community intelligence, this email sits in an inbox until someone clicks.
Security teams evaluating their stack against attacks like this should ask three questions. Does your gateway act on triple authentication failure, or defer to content scoring? Does your link protection render a verdict at delivery time, or only at click time? Does your detection model incorporate cross-organizational intelligence, or does it operate on single-tenant data alone?
The attacker spent a few dollars on a Namecheap domain, stitched together a template badly enough to include kitchen drawer instructions, and still reached the inbox through three security layers. The gap is not any one product. The gap is the space between them.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Domain | twinklystonexg[.]blog | Attacker sending domain, registered same day as attack via Namecheap, Cloudflare NS, privacy-protected |
| Email | verizonpath@twinklystonexg[.]blog | From address, Verizon impersonation |
| Email | verizonpath50@twinklystonexg[.]blog | Reply-To address, divergent handler |
| URL | hxxp://www[.]twinklystonexg[.]blog/akub8 | Credential harvesting destination |
| URL | hxxps://link[.]edgepilot[.]com/x/0L8tSBcbjkUQ6g6ePsqy4Fo | EdgePilot-wrapped phishing link |
| IP | 5[.]255[.]100[.]51 | Origin sending IP, Netherlands, no rDNS |
| IP | 8[.]31[.]233[.]206 | AppRiver relay IP, SPF failure at Microsoft layer |
MITRE ATT&CK Mapping
| Technique | ID | Application |
|---|
| Phishing: Spearphishing Link | T1566.002 | Credential harvesting link disguised as Verizon reward portal |
| Acquire Infrastructure: Domains | T1583.001 | Same-day domain registration on Namecheap with privacy protection |
| Masquerading | T1036 | Verizon brand impersonation with fabricated member ID and point balance |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
