The email came from no-reply@wufoo[.]com. Wufoo is a legitimate SaaS form-builder platform owned by SurveyMonkey. The message passed SPF. It passed DKIM. It passed DMARC. Every authentication signal pointed to a clean, trusted delivery. The filter had nothing to catch.
The malicious payload was not in the sender. It was in the link.
The subject line read "[EXTERNAL]_Electronic Records Alert: Action Needed." The body described a document titled "SWIFT_Transaction_Summary" requiring an e-signature from the recipient, a senior managing director at a staffing and consulting firm. The framing was a transaction-authorization workflow, the kind of request a finance-adjacent executive sees regularly enough that the pattern looks plausible.
The link embedded in the Wufoo form pointed to hxxps://benefitsinsight[.]com[.]es/re/re1[.]php. By the time the incident was analyzed, Cloudflare had blocked that URL. IRONSCALES threat intelligence had already returned a malicious verdict.
The .com.es domain structure is a known attacker preference. "benefitsinsight.com.es" is not a Spanish commercial entity. It is a subdomain-style second-level domain under Spain's .es TLD, chosen because it superficially resembles a .com address to a reader who is not reading carefully. The /re/re1.php path structure is consistent with a redirect or form-collection handler, typical of credential-harvest landing pages.
The email relayed through SparkPost (a Salesforce-owned transactional email provider) via sending IP 192[.]174[.]81[.]59. SparkPost is a legitimate ESP with a strong sender reputation. Routing the message through SparkPost added another layer of trust to a message that already came from Wufoo's authenticated domain.
Inside the email body, a SurveyMonkey tracking pixel was embedded. This is technically unusual for a Wufoo notification: the form platform itself does not natively include SurveyMonkey open-tracking pixels. Its presence suggests the attacker deliberately instrumented the email to log which recipients opened it, feeding a prioritization list for follow-up targeting.
The full stack here is: Wufoo form platform (authenticated sending domain) + SparkPost relay (trusted ESP) + SurveyMonkey pixel (open tracking) + .com.es credential-harvest page (attacker endpoint). Each layer borrows legitimacy from a real vendor to move the attacker closer to the credential-theft moment.
MITRE ATT&CK T1598 (Phishing for Information) and T1566.002 (Spearphishing Link) describe this two-stage approach: a lure that passes delivery filters leading to a destination that captures credentials.
See Your Risk: Calculate how many threats your SEG is missing
SPF, DKIM, and DMARC are email authentication standards. They confirm that a message came from an authorized sender for the domain and was not modified in transit. They do not evaluate attacker intent, destination URLs, or whether the platform sending the email was abused. When an attacker uses Wufoo legitimately, the authentication for wufoo.com is real.
The Verizon 2026 Data Breach Investigations Report found that 39% of breaches involve credentials across the kill chain. Credential-harvest pages behind SaaS-laundered emails are a primary collection mechanism because the sending path is clean and the malicious moment happens outside the email, at the destination URL, which many SEGs never see at click time.
IRONSCALES platform data shows SEGs miss approximately 67.5 phishing emails per 100 mailboxes per month. Cases like this are a significant contributor: no spoofed sender, no malicious attachment, a single link buried in a form notification that the gateway had no reason to detonate.
IRONSCALES detected this with a 90% Themis confidence score, labeling it "Credential Theft" and surfacing community-intelligence signals that had flagged the benefitsinsight[.]com[.]es destination previously. The detection was post-delivery behavioral: the mismatch between the Wufoo-style delivery pattern and the non-Wufoo destination domain was anomalous against the organization's normal Wufoo notification history. The IRONSCALES Adaptive AI platform examines link destination context independently of the sending domain's reputation, which is the only layer that catches this class of SaaS-laundered phishing.
Credential harvesting protection requires examining where an email sends recipients, not just who sent it. A filter that trusts Wufoo entirely because wufoo.com passes authentication will not catch a Wufoo form that links out to an attacker-registered .com.es page.
Organizations should configure their email security tooling to inspect all outbound link destinations at click time, not just at delivery. For finance and executive-tier recipients, any e-sign or payment-authorization request arriving from a platform your organization does not have an active contract with should trigger a secondary verification step before clicking.
The IRONSCALES credential harvesting protection layer inspects link destinations independently of sender reputation, catching the redirect to benefitsinsight[.]com[.]es as a malicious endpoint even when the delivery path was clean. The IBM Cost of a Data Breach 2024 report puts stolen credentials as the most common initial access vector in analyzed breaches at $4.88 million average cost per incident.
For security teams, the SWIFT e-sign lure pattern should trigger an internal policy review: does your organization ever send SWIFT transaction approvals via a public form builder? If the answer is no, that process expectation itself becomes a detection rule.
| Type | Indicator | Context |
|---|---|---|
| URL | hxxps://benefitsinsight[.]com[.]es/re/re1[.]php | Attacker credential-harvest landing page (Cloudflare blocked, verdict malicious) |
| Sender | no-reply@wufoo[.]com | Legitimate platform abused (not attacker-owned) |
| IP | 192[.]174[.]81[.]59 | SparkPost relay (legitimate ESP) |
| Lure subject | [EXTERNAL]_Electronic Records Alert: Action Needed | SWIFT e-sign social engineering |
---
Sources: Verizon DBIR 2026 | IBM Cost of a Data Breach 2024 | MITRE ATT&CK T1566.002 | MITRE ATT&CK T1598 | CISA Phishing Guidance
| Attack | What happened |
|---|---|
| Sign Here, Get Phished: Inside an Adobe Sign Lure With a Multi-Hop Redirect to Credential Theft | An Adobe Sign e-signature lure routed recipients through a multi-hop redirect chain ending at fameklinik[.]com. |
| DocuSign Plus Invoice: A 12-Day-Old Domain and an esvalabs Redirect Chain That Scanners Missed | A phishing campaign combined DocuSign branding with an invoice thread pretext, sent from a 12-day-old privacy-protected domain via Amazon SES. |
| When the Phishing Kit Ships Early: Exposed Template Variables Reveal Attack Infrastructure | A premature phishing kit deployment exposed raw template variables in the subject line and a placeholder URL. |
| Funding Agreement, Forged Approval: How a Three-Layer Redirect Chain Targeted Finance Leadership | A phishing campaign impersonating a document-signing platform targeted a VP of Finance with a forged funding agreement. |
| 3 Messages on Hold: How an Authenticated Australian Domain Posed as a Security Center | A phishing email from an authenticated Australian domain branded itself as a 'Security Center,' used X-Priority urgency headers. |