The invoice looked routine. An $802.50 bill from a drone inspection vendor, delivered through Zoho Books, complete with a PDF attachment and a green PAY NOW button. The kind of thing an accounts payable team processes dozens of times a week without a second thought.
Except this one was four months late. The invoice date read November 22, 2025. The due date was December 22, 2025. The email didn't arrive until late March 2026. And tucked below the payment button, almost as an afterthought, sat a Google Drive folder link labeled as "invoice materials."
That link was the real payload.
The email targeted a forensic engineering firm, landing in the mailbox of an employee whose role involved processing vendor payments. The subject line followed Zoho Books conventions exactly: "Invoice - ART-INV-251691 for MAT-188157-D6X3 from Air Reel Technologies LLC." Nothing about it screamed phishing.
The sender address, message-service@sender[.]zohobooks[.]com, is the legitimate transactional domain Zoho uses for invoice delivery. The From header showed "Brian." The Reply-To pointed to brian@airreeltech[.]com, a real domain belonging to a legitimate drone services company in the Atlanta area. The PDF attachment matched the email content: line items for "Basic Travel" and "Drone Roof Inspection," an EIN, a phone number, a company address.
Every detail checked out, which is exactly why the four-month delay and the Drive link were so easy to overlook.
According to the FBI IC3 Internet Crime Report, business email compromise accounted for over $2.9 billion in reported losses in 2024 alone. Attacks like this one succeed precisely because they weaponize legitimate infrastructure. The attacker didn't need to spoof a domain or craft a convincing lookalike. They used the real thing.
The email's journey through the relay chain tells the real story. At the first hop (Zoho's own infrastructure), everything checked out. SPF passed. DKIM passed. DMARC showed no policy to enforce (dmarc=none). The Authenticated Received Chain (ARC) sealed cleanly.
Then the message hit a Barracuda Email Security Gateway (outbound-ip76b[.]ess[.]barracuda[.]com, IP 209[.]222[.]82[.]242). Barracuda is a legitimate email security provider, and its presence in the relay chain is normal for organizations that route outbound mail through scanning appliances. But the gateway's processing altered the message enough to break alignment downstream.
By the time the email reached the recipient's Microsoft 365 environment, the picture had changed completely:
sender[.]zohobooks[.]com's SPF record)cv=fail)This is a pattern security teams should recognize. According to the Microsoft Digital Defense Report 2024, legitimate email gateways in the relay path are one of the most common causes of authentication result degradation. The challenge is distinguishing between "authentication failed because a gateway modified the message" and "authentication failed because the message was forged." In this case, the recipient's mail system couldn't tell the difference.
The recipient's email client displayed two warnings: an external email banner and an "Unusual sender" flag for message-service@sender[.]zohobooks[.]com. Both are correct signals. Neither is specific enough to tell a busy AP clerk that this particular invoice is dangerous.
The PAY NOW button linked to zohosecurepay[.]com, Zoho's legitimate payment processing domain. That link scanned clean because it is clean. If the only payload were the payment button, this would likely be a legitimate invoice.
But below the invoice block sat a plaintext Google Drive URL: hxxps://drive[.]google[.]com/drive/folders/1_2IAvK-LskteX6qDIB8JipJOoLTf9jkj. No anchor text, no explanation, just a raw link to a shared folder labeled as supplementary "media" for the invoice.
Standard Zoho Books invoice emails do not include Google Drive links. Zoho hosts invoice PDFs on its own platform. The presence of an external file-sharing link in an otherwise standard invoice flow is a significant anomaly, the kind that URL reputation scanners often miss because drive.google.com is universally trusted. According to the Verizon 2024 DBIR, abuse of legitimate cloud services for payload hosting has become one of the most effective evasion techniques precisely because domain reputation checks give these links a pass.
That Drive folder is where the real risk lives. Whether it contained credential harvesting documents, malware, or fraudulent wire instructions, its mere presence in a transactional invoice email is a red flag that most static filters cannot evaluate.
See Your Risk: Calculate how many threats your SEG is missing
The four-month gap between the invoice date and the delivery date is not a bug. It is a feature of the social engineering. A fresh invoice gives the recipient time. A past-due invoice creates pressure.
An AP clerk who sees an $802.50 invoice that was due four months ago has two immediate reactions: (1) this vendor has been waiting, and (2) someone dropped the ball. Both reactions push toward fast payment and away from careful verification. The CISA phishing guidance specifically warns about urgency manipulation as a core social engineering lever, but most training scenarios focus on "act now" language. Stale urgency is subtler. It manufactures guilt instead of panic.
Across the IRONSCALES global deployment, Themis flagged this message within seconds of delivery. The Adaptive AI engine correlated three signals that individually might have passed muster: the authentication degradation across the relay chain, the behavioral anomaly of a first-time sender on a transactional Zoho address, and the atypical external link in an otherwise standard invoice template. No single signal was decisive. Together, they painted a clear picture.
| Type | Indicator | Context |
|---|---|---|
| Sender Domain | sender[.]zohobooks[.]com | Legitimate Zoho transactional domain |
| Reply-To | brian@airreeltech[.]com | Real vendor domain |
| Relay IP | 209[.]222[.]82[.]242 | Barracuda ESG outbound relay |
| Payment URL | zohosecurepay[.]com | Legitimate Zoho payment domain |
| Payload URL | hxxps://drive[.]google[.]com/drive/folders/1_2IAvK-LskteX6qDIB8JipJOoLTf9jkj | Atypical Google Drive folder link |
| Attachment | ART-INV-251691.pdf (MD5: 9d1d474ce826fc1e59fec0630619fa38) | Invoice PDF, static scan clean |
MITRE ATT&CK mapping: - T1566.001: Phishing, Spearphishing Attachment (invoice PDF) - T1566.002: Phishing, Spearphishing Link (Google Drive folder link)
The lesson here is not that Zoho Books invoices are inherently suspicious. It is that attackers are increasingly building their lures on legitimate platforms, using real vendor identities, real payment infrastructure, and real transactional mail systems. The differentiator is not the platform. It is the pattern: a stale invoice nobody requested, authentication that degraded across the relay chain, and a Google Drive link that has no business being in a Zoho invoice.
If your email security stack evaluates these signals independently, each one looks explainable. If your stack correlates them, the picture changes fast.