What is exact display name impersonation in email attacks?

Exact display name impersonation occurs when an attacker sets their email display name to match the real name of a known contact within the target organization. Because most email clients show the display name prominently and hide the actual sending address, recipients see what appears to be a message from a trusted colleague. The attacker's sending domain and authentication are completely separate from the impersonated identity.

Why does Yahoo free-mail pass SPF, DKIM, and DMARC in phishing attacks?

Yahoo is a legitimate email service provider with properly configured authentication records. When an attacker creates a Yahoo account and sends email through Yahoo's infrastructure, SPF validates the sending IP, DKIM confirms Yahoo signed the message, and DMARC alignment passes because the domain matches. Authentication protocols verify infrastructure ownership, not sender identity or intent.

What is SFTY 9.25 in Microsoft email headers?

SFTY 9.25 is a Microsoft safety tip code indicating that the system detected a display name impersonation attempt. Microsoft recognized that the display name matched a known contact but the sending address did not. However, this safety tip is informational and does not automatically block delivery, meaning the email can still reach the recipient's inbox.

How do zero-payload BEC attacks bypass email security?

Zero-payload BEC attacks contain no links, attachments, or malware, which means URL scanners, sandbox detonation, and attachment analysis have nothing to evaluate. The entire attack is social engineering text designed to elicit a response. Detection requires behavioral analysis of sender identity, communication patterns, and request context rather than artifact scanning.

How does sender fingerprinting detect display name impersonation?

Sender fingerprinting builds a profile of known sender identities by tracking which display names are associated with which email addresses over time. When a new email arrives with a familiar display name but from an unfamiliar address, the system flags the mismatch as a potential impersonation attempt, even when all authentication checks pass.

Phishing Email Security IRONSCALES Attack Research AI SOC 2026 Attack of the Day

Perfect Authentication, Zero Payload: The Yahoo Free-Mail BEC That Microsoft Flagged but Didn't Block

Audian Paxson May 9, 2026

TL;DR A threat actor used a Yahoo free-mail account with an exact display name matching a known internal contact to send an account change request to an employee at a state government health agency. The email contained zero links, zero attachments, and zero malware. SPF, DKIM, and DMARC all passed with compauth=100 because Yahoo's infrastructure is legitimate. Microsoft's SFTY:9.25 impersonation safety tip triggered, recognizing the display name mismatch, but did not block delivery. Themis flagged the email at 68% confidence based on sender fingerprint analysis, identifying that the display name was previously associated with a different email address in the recipient's communication history.

Severity: High Bec Impersonation Social Engineering MITRE: {'id': 'T1656', 'name': 'Impersonation'} MITRE: {'id': 'T1598', 'name': 'Phishing for Information'}

The email had no links. No attachments. No embedded images. Just a short message with the subject line "Email Change Request," sent from a Yahoo free-mail account to an employee at a state government health agency.

Every authentication check passed. SPF, DKIM, DMARC, compauth=100. Yahoo's infrastructure is legitimate, and the attacker used it exactly as designed. The only weapon was a display name.

The Name Was Right, the Address Was Wrong

The display name matched a known internal contact, someone the recipient had exchanged email with before. But that contact's real address was on a completely different domain. This message came from ccc_29340@yahoo[.]com, a free-mail account with no connection to the organization.

The subject line, "Email Change Request," was the social engineering payload. The attacker wanted the recipient to respond with updated account or contact details, a classic precursor to account takeover and business email compromise. No technical exploit needed. Just a reply.

Microsoft Saw It, Microsoft Didn't Stop It

The email headers tell a revealing story. Microsoft's own impersonation detection triggered a safety tip (SFTY:9.25), meaning the system recognized the display name was associated with a different known sender address. The Spam Confidence Level sat at 1, well below any quarantine threshold.

Microsoft identified this as a likely impersonation attempt and delivered it anyway. The safety tip is informational, not blocking. For a government employee processing dozens of emails a day, a subtle banner is easy to overlook when the display name looks familiar.

The Signal That Mattered

Themis, the IRONSCALES Adaptive AI, flagged the email at 68% confidence based on sender fingerprint analysis. The platform maintains a history of which display names correspond to which sending addresses. When a known name appeared from an unknown address, the mismatch triggered elevated scrutiny.

This is the detection surface that zero-payload BEC deliberately targets. No artifacts to scan, no URLs to detonate, no files to sandbox. The only signal is behavioral: this name has never come from this address before.

One mailbox was quarantined. The reporter confirmed the message as phishing.

Indicators of Compromise

Type	Indicator	Context
Sender Email	`ccc_29340@yahoo[.]com`	Yahoo free-mail, display name impersonation
SPF	Pass (`34[.]2[.]64[.]18`, sonic.asd.mail.yahoo.com)	Legitimate Yahoo infrastructure
DKIM	Pass (`d=yahoo.com`)	Yahoo-signed
DMARC	Pass (compauth=100)	Full authentication alignment
SFTY	9.25	Microsoft impersonation safety tip triggered
SCL	1	Below quarantine threshold

MITRE ATT&CK Mapping

Technique	ID	Relevance
Impersonation	T1656	Exact display name matched a known internal contact
Phishing for Information	T1598	Account change request designed to elicit sensitive response

Authentication tells you the infrastructure is real. It does not tell you the person is who they claim to be. When the payload is a name and a polite request, the only defense is a system that remembers who sends from where.

Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 30,000+ security professionals. Each post breaks down one attack — what it looked like, why it worked, and what you can do about it.

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.

For Enterprises

For MSPs & MSSPs

Protect Better

Simplify Operations

Empower Your Org

17,000+ Customers and Counting

Case Studies

Reviews

Osterman Research: AI Trends in Cybersecurity

Case Study: Telit

Our Awards

How IRONSCALES Works

Platform Overview

API Integration

Artificial Intelligence

Human Element

Agentic Capabilities

Agents Overview

Red-Teaming Agent

Phishing SOC Agent

Phishing Simulation Agent

Platform Tours

BY USE CASE

Business Email Compromise

Advanced Malware & URL Attacks

Account Takeover Attacks

Email Encryption

Deepfake Attack Protection

DMARC Management

Phishing Simulation Testing

Security Awareness Training

BY PLATFORM

BY PROJECT

BY INDUSTRY

BY ROLE

LEARN

Blog

Threat Intelligence Center

Cybersecurity Glossary

Resource Library

Guides

Platform Tours

CONNECT

Events

Newsletter

LinkedIn

The Hidden Gaps in SEG Protection

New Gartner® Email Security Magic Quadrant™

Are Deepfake Emails Phishing 3.0?

Phishing Prevention

Spear Phishing

Voice Phishing

BY TYPE

MSPs and MSSPs

Resellers

Technology Partners

ENGAGE

Become Partner

Partner Portal

Partner with IRONSCALES