The document name field was blank. The "View file" button pointed to a Webflow subdomain. And the email passed SPF and DKIM without a hitch.
That is the anatomy of a phishing email designed to fool security professionals, not just end users. In March 2026, IRONSCALES detected a credential-harvesting campaign that combined a compromised healthcare provider's email account, Paubox encrypted delivery, and a Webflow-hosted OneDrive impersonation page. The target: an employee at a managed security services firm.
The attack demonstrates a growing trend in phishing operations. Rather than registering throwaway domains or spinning up disposable infrastructure, threat actors are parking their phishing pages on trusted SaaS platforms where URL reputation is inherited for free.
The message arrived with the subject line "Document shared with you" and displayed Microsoft OneDrive branding, complete with the standard file-share notification layout. It claimed a document had been shared, urged the recipient to "preview or download the file," and warned the link would expire in five days.
The sender appeared to be a dental specialist at a periodontics practice in Dallas, Texas. The sending domain had been registered since 2010 and routed through Paubox, a HITRUST-certified encrypted email provider commonly used in healthcare. SPF passed. DKIM passed. The message was encrypted with 256-bit AES.
On paper, this email looked cleaner than most legitimate messages.
But two authentication signals told a different story. The ARC (Authenticated Received Chain) validation returned a body-hash mismatch, meaning the email body had been altered after the original cryptographic signature was applied. And the sending domain had no DMARC record at all, leaving recipients with zero domain-level policy guidance on how to handle authentication failures.
The "View file" button did not link to Microsoft. It pointed to proposal-document-ed0aaa[.]webflow[.]io, a subdomain on Webflow's free-tier infrastructure.
This is the core of the technique. Webflow subdomains inherit the domain reputation of webflow[.]io. Most Secure Email Gateways (SEGs) and URL scanners treat Webflow as a legitimate web design platform, which it is. That trust is exactly what attackers exploit. According to the Microsoft Digital Defense Report 2024, abuse of legitimate hosting services for phishing infrastructure has surged as defenders have gotten better at blocking newly registered domains.
The Webflow landing page itself was a two-stage credential harvest. It displayed an "RFP Proposal Document" header, a thumbnail image of a PDF (labeled 201408281230.pdf), and a "VIEW DOCUMENT" link. The page carried the "Made in Webflow" badge in the bottom corner, a detail that most recipients would overlook or even interpret as a sign of legitimacy.
Notice what the attacker did here: the email impersonated OneDrive to get the click, then the Webflow page pivoted to a different pretext (an RFP proposal) to justify a second click. Two layers of social engineering, two separate trust signals, and zero attacker-owned domains in the chain.
See Your Risk: Calculate how many threats your SEG is missing
The relay path tells the full story. The message originated from a Google Workspace account (mail-ej1-f71[.]google[.]com), was routed through Paubox's encrypted outbound MTA (outbound3-encrypted-mta[.]paubox[.]com at 165[.]140[.]171[.]134), and delivered to the recipient's Google Workspace environment.
Every hop was legitimate infrastructure. The SPF record for the sending domain explicitly includes _spf[.]paubox[.]com and _spf[.]google[.]com. The DKIM signature used a Paubox selector and validated correctly.
The ARC body-hash mismatch is the critical signal. When the ARC chain fails body-hash validation, it means the message content received by the final destination does not match the content that was cryptographically signed at an earlier relay. Paubox's encryption gateway may introduce legitimate transformations, but that ambiguity is precisely what attackers count on. The Verizon 2024 Data Breach Investigations Report found that phishing remains the top initial access vector, and authentication ambiguity is a key enabler.
The absent DMARC record compounds the problem. With no p=reject or even p=quarantine policy, the sending domain provides no instruction to receiving servers. Any message that passes SPF or DKIM (even from a compromised account) gets treated as authenticated. The FBI IC3 2024 Annual Report documented $2.9 billion in BEC losses, and weak email authentication remains a primary contributing factor.
This attack maps to several techniques in the MITRE ATT&CK framework:
| Type | Value |
|---|---|
| Phishing URL | hxxps://proposal-document-ed0aaa[.]webflow[.]io/ |
| Sender Email | drtomlin@parkcitiesperio[.]com |
| Sending IP | 165[.]140[.]171[.]134 |
| DKIM Selector | paubox (domain: parkcitiesperio[.]com) |
| Landing Page File | 201408281230.pdf (displayed, not attached) |
| Subject Line | "Document shared with you" |
First, URL reputation alone is not a detection strategy. When phishing pages live on Webflow, Google Sites, Notion, or any other trusted SaaS platform, domain-based blocklists are blind. Organizations need AI-powered analysis that evaluates what a page does, not just where it lives.
Second, ARC failures deserve attention. Many security teams dismiss ARC body-hash mismatches as noise from gateway transformations. In this case, the mismatch was one of only two signals (alongside the missing DMARC) that distinguished this phishing email from a legitimate message. Security operations teams should build detection logic that flags ARC failures in combination with other low-confidence indicators.
Third, DMARC enforcement is not optional. The sending domain in this attack was a legitimate dental practice with a 16-year registration history. One compromised account, combined with no DMARC policy, turned that domain into a phishing weapon. CISA's guidance continues to recommend DMARC at p=reject for all organizations, regardless of size.
Themis, the IRONSCALES Adaptive AI analyst, flagged this email at 85% confidence based on language and structural analysis. The message was automatically quarantined across all affected mailboxes within seconds of delivery. Four mailboxes received the message. All four were mitigated before any user interaction.
SEGs miss an average of 67.5 phishing emails per 100 mailboxes every month. Attacks like this one, built on legitimate infrastructure with passing authentication, are exactly the messages those gateways let through. The IBM Cost of a Data Breach 2024 report pegs the average breach cost at $4.88 million, and phishing-initiated breaches remain among the most expensive.
The attackers did not need to register a domain. They did not need to compromise a mail server. They just needed a free Webflow account, a hijacked email credential, and a target who trusted OneDrive.