The email arrived as a voicemail notification. A blue "Listen to Voicemail" button sat centered in the body, the kind of prompt that looks identical to dozens of legitimate unified-communications alerts that land in enterprise inboxes every day. The greeting line read "Dear [username]," pulling the recipient's local-part directly from the email address, a formatting shortcut that no real voicemail system uses.
Three domains appeared across the sender fields, and none of them agreed. The visible From header showed [user][@]atcl[.]net. The Return-Path pointed to hansabusad[.]com. The incident metadata recorded the reported sender as voicemessage[@]advancedch[.]com. SPF returned none for the envelope domain, DKIM was entirely absent, and DMARC failed for the header-from domain. Every authentication check either came back empty or negative, yet the message still reached its target.
Below the voicemail button, the email took an unexpected turn. Paragraphs of French corporate correspondence appeared, complete with attorney confidentiality disclaimers and references to a European banking institution. The content had no connection to the voicemail lure. It had been stitched in from an unrelated thread.
The voicemail button pointed to hxxps://public-usa[.]mkt[.]dynamics[.]com/api/orgs/e4241026-9a56-f111-b7ac-000d3a5b3138/r/-R-sm3YQJkC5DNBg0JkBAAMAAAA, a URL hosted on Microsoft Dynamics Marketing infrastructure. This is a legitimate Microsoft platform used by thousands of organizations for marketing automation, and that legitimacy is exactly why attackers target it.
The landing page did not redirect immediately. Instead, it presented a "Verify you are human" CAPTCHA challenge. This is a deliberate anti-analysis technique. Automated URL scanners that follow links during email inspection hit the CAPTCHA wall and report the page as benign or unreachable. Human victims complete the check and proceed to whatever credential-harvesting form or redirect chain waits behind it.
The Dynamics CRM platform has been documented as an abuse vector in credential-harvesting campaigns since at least 2024. Attackers gain access through compromised tenant accounts or free trial signups, host their phishing pages, and benefit from the domain reputation that mkt.dynamics.com carries with URL filtering services.
The message also included an ICS calendar attachment (invite.ics, 588 bytes). The file scanned clean with no embedded HTTP links, but its description field read "Please review the attached document," a social-engineering nudge pointing victims back to the email body and the voicemail button. The ICS file referenced no actual document.
An X-Relaying-Domain header value of kovosrot-cz[.]eu appeared in the transport chain, an unexpected Czech domain with no obvious connection to any of the three sender identities. The sending IP 209[.]85[.]128[.]227 resolved to a Google mail server (mail-yw1-f227.google.com), indicating the message was relayed through Google SMTP before reaching the recipient's Microsoft 365 environment.
See Your Risk: Calculate how many threats your SEG is missing
This attack maps to MITRE ATT&CK T1566.002 (Phishing: Spearphishing Link) for the credential-harvesting lure, and T1585.001 (Establish Accounts: Social Media Accounts) for the abuse of a legitimate platform to host the payload.
Traditional gateway filters saw a Microsoft-hosted URL, a clean calendar attachment, and a message body padded with legitimate-looking corporate text. The authentication failures alone were not enough to block delivery in many configurations, because SPF none is treated as a soft signal rather than a hard block by most policies.
Themis, our Adaptive AI, flagged the message on multiple behavioral dimensions. The triple domain mismatch across sender fields is a pattern that content-based filters miss but behavioral models weigh heavily. The username-style greeting, the mismatch between the voicemail lure and the stitched-in corporate thread, and the first-time sender status all contributed to a composite risk score that exceeded the threshold.
Community intelligence reporting from across the platform confirmed that mkt.dynamics.com hosting patterns were appearing in multiple campaigns during this period. That cross-tenant signal accelerated classification for organizations that had not yet seen the specific URL variant.
Research shows that 67.5 phishing emails per 100 mailboxes per month bypass traditional secure email gateways. Platform-hosted payloads behind CAPTCHA gates represent one of the more effective bypass techniques because they exploit the trust that URL scanners place in major SaaS domains.
Voicemail phishing is not new, but the infrastructure layering in this campaign reflects a maturation in delivery tactics. Three mismatched domains, a legitimate SaaS hosting platform, CAPTCHA gating to block automated analysis, and stitched-in thread content to pad the body: each layer serves a specific evasion purpose.
Defenders should treat mkt.dynamics.com URLs with the same scrutiny applied to any redirector. CAPTCHA presence on a landing page is itself a risk signal when the referring email is unsolicited. And any message where From, Return-Path, and envelope sender disagree across three different domains should be escalated regardless of content.
| Indicator | Type | Context |
|---|---|---|
[user][@]atcl[.]net | Email (From header) | Visible sender identity |
hansabusad[.]com | Domain (Return-Path) | Envelope sender domain, SPF=none |
voicemessage[@]advancedch[.]com | Email (reported sender) | Third sender identity in metadata |
kovosrot-cz[.]eu | Domain (X-Relaying-Domain) | Unexpected relay domain in headers |
hxxps://public-usa[.]mkt[.]dynamics[.]com/api/orgs/e4241026-9a56-f111-b7ac-000d3a5b3138/r/-R-sm3YQJkC5DNBg0JkBAAMAAAA | URL | Voicemail playback button target, CAPTCHA-gated |
209[.]85[.]128[.]227 | IP | Sending IP, rDNS: mail-yw1-f227.google.com |
| Attack | What happened |
|---|---|
| When SPF, DKIM, and DMARC All Pass. And the Email Is Still Phishing | A fully authenticated phishing email (SPF pass, DKIM pass, DMARC pass) used a legitimate nonprofit platform to deliver credential-harvesting links with... |
| The Password Reset That Shipped Its Own API Key in a Shortened URL | A phishing email weaponized Firebase's password-reset flow by embedding a live API key, one-time reset token. |
| The Encrypted Message That Opened in a Design Preview Tool | A phishing email claimed to contain an encrypted message but directed recipients to a MagicPatterns design preview page instead of Microsoft's secure... |
| The Insurance Claim That Passed Every Check (Progressive's Own Infrastructure Sent It) | A credential theft attempt sent through Progressive Insurance's own Salesforce Marketing Cloud infrastructure. |
| Facebook Share Notification Abuses Legitimate Infrastructure to Target Corporate Inboxes | A Facebook share notification passed SPF, DKIM, and DMARC validation, yet concealed redirect endpoints capable of credential harvesting. |