TL;DR A free Yahoo account with high-risk and mass-mailing signals inserted itself into what appeared to be an existing business thread. The body offered four PDF-named links (Crop Calendar, Product Portfolio, California Parsley, Organic Product Offering) all disguised as legitimate collateral from a global flavors and fragrances manufacturer but resolving through malicious email-protection redirectors. Two real links from the recipient's own corporate domain sat alongside them to prop up apparent legitimacy. No redirector link produced a screenshot, signaling intentionally obscured landing pages. Four benign image attachments served as visual noise. Full SPF/DKIM/DMARC authentication passed, since the email genuinely originated from Yahoo infrastructure.
Severity: High Credential-Harvesting Phishing Social-Engineering MITRE: T1566.001 MITRE: T1204.001 MITRE: T1036
The links looked exactly right. The filenames matched the brand. The authentication passed. The only thing wrong was where the URLs actually went, and that was the one thing recipients had no way to see.
This attack targeted recipients in what appeared to be an existing business thread (subject: "Re: The Nutmeg Spice Company"). The sender displayed as "Landon Barrett" using the address lbjbaseball12[@]yahoo[.]com, an external, free-mail account flagged at high risk in the incident data, with prior mass-mailing signals associated with it. The authentication story was clean: SPF pass, DKIM pass, DMARC pass, compauth pass. The message genuinely originated from Yahoo infrastructure, which means it was not trivially spoofed. Authentication protocols confirmed the Yahoo origin; they said nothing about what the links inside would do.
The PDF-Named Redirector Technique
The body contained six elements built to look like document links from a global flavors and fragrances manufacturer (the recipient's own corporate brand):
- "Agricultural Ingredients - Crop Calendar.pdf"
- "Agricultural Ingredients Product Portfolio.pdf"
- "Agricultural Ingredients California Parsley.pdf"
- "Agricultural Ingredients - Organic Product Offering.pdf"
Each item displayed a plausible business-document filename as link text. The actual destination behind each link was an email-protection redirector URL, and each of those redirectors returned a malicious verdict from automated scanning. None of the malicious links produced a screenshot during analysis, meaning their landing pages were either unreachable to scanner infrastructure or deliberately gated to prevent automated inspection.
This is the core of the technique: URL rewriting and redirector abuse as a scanner-evasion layer. The display text shows a familiar filename. The actual URL passes through a redirector that controls what a scanner sees versus what a human sees. When the landing page responds differently to scanner traffic than to real browser requests (by checking user-agent strings, requiring a prior click to set a cookie, or simply blocking known scanner IP ranges) automated tools record no result and often default to a passing verdict on the redirector URL itself.
The absence of a screenshot is not a neutral finding. It is a signal.
The Legitimacy Layer
Alongside the six malicious redirectors, the message contained two links pointing to real properties of the recipient's own corporate domain. Both were marked clean and produced screenshots. The attacker included these deliberately. A message where some links resolve cleanly to a known brand's real website reads as more legitimate to both recipients and URL-reputation scanners. The legitimate links are not part of the delivery mechanism. They are set dressing.
Social engineering in phishing campaigns relies on making the message feel consistent with a real business relationship. A fabricated thread using the recipient's own brand PDF filenames alongside real links to their corporate domain creates exactly that consistency. The recipient who is familiar with those agricultural products sees filenames that match what those documents would actually be called. The mismatch (between familiar display text and an unfamiliar redirector destination) is only visible if the recipient inspects the raw URL before clicking, which almost no one does.
See Your Risk: Calculate how many threats your SEG is missing
The Mass-Mailing Signal and Why It Matters
The sending account, lbjbaseball12[@]yahoo[.]com, was flagged not just as external and free-mail but as associated with high-risk and mass-mailing patterns. This historical signal carries meaning independent of this specific email. An account with prior mass-mailing activity operating in a corporate context is behaving outside its expected pattern, and that behavioral anomaly predates any analysis of the current message's links.
This is the layer where credential harvesting campaigns try to exploit the gap between authentication signal and behavioral signal. The email passes every authentication check because it genuinely came from Yahoo. It carries a sending history that correlates with mass-mailing threat infrastructure. A gateway that evaluates authentication and link reputation but does not incorporate sender behavioral history would see a passing email. The combination of authenticated origin, mass-mailing history, redirectors with no screenshots, and PDF-named link text is what identifies this as a coordinated phishing attempt rather than a misdirected marketing email.
Four Clean Images, Zero Payload
The message included four attached images: image001.png through image005.png (with image004 absent from the incident record). All carried clean verdicts. None contained embedded links, dangerous metadata, or executable content. Their function was to generate clean-attachment verdicts, to add visual bulk consistent with a corporate email with branded images, and to direct analytical attention toward the "clean attachments" finding rather than toward the malicious link elements buried in the body.
IRONSCALES Themis detected the full combination: external free-mail sender with mass-mailing history, PDF-named links routing through malicious redirectors, redirectors with no screenshot evidence, and clean-verdict image attachments alongside the malicious link elements. For teams evaluating their detection coverage, MITRE ATT&CK T1566.001 covers this spearphishing-via-link pattern, T1204.001 covers the user-click execution step, and T1036 covers the masquerading technique at work in the filename-to-redirector mismatch.
Adaptive AI from IRONSCALES evaluates this class of attack across the full behavioral surface (sender reputation, link destination analysis, screenshot availability, attachment context, and sending history) not as independent signals but as a combined risk assessment. That cross-signal view is what surfaces attacks where every individual component has a plausible innocent explanation and only the combination reveals the pattern. More at ironscales.com/platform.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sender address | lbjbaseball12[@]yahoo[.]com | External free-mail account; high-risk flag; mass-mailing signals |
| Redirector domain | url[.]emailprotection[.]link | Email-protection redirector domain; multiple elements flagged malicious |
| Malicious link (display) | "Agricultural Ingredients - Crop Calendar.pdf" | Displayed as PDF filename using recipient's own corporate brand; actual URL: malicious redirector |
| Malicious link (display) | "Agricultural Ingredients Product Portfolio.pdf" | Displayed as PDF filename using recipient's own corporate brand; actual URL: malicious redirector |
| Malicious link (display) | "Agricultural Ingredients California Parsley.pdf" | Displayed as PDF filename using recipient's own corporate brand; actual URL: malicious redirector |
| Malicious link (display) | "Agricultural Ingredients - Organic Product Offering.pdf" | Displayed as PDF filename using recipient's own corporate brand; actual URL: malicious redirector |
| Attachment (benign) | image001.png, image002.png, image003.png, image005.png | Clean verdict; no payload; visual noise |
| Authentication | SPF pass, DKIM pass, DMARC pass, compauth pass | Confirms Yahoo origin; does not validate intent |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
