The Funding Approval That Passed Every Authentication Check

**Phishing via Authenticated Typosquat Domain:** An attacker registered a typosquat domain (northsshorescapitals.com) and provisioned it in Salesforce Marketing Cloud to send a personalized line-of-credit approval email that passed SPF/DKIM/DMARC. Pardot tracking links redirected recipients to the legitimate lender site to build credibility while replies and tracking were tied to the typosquat domain for credential harvesting; behavioral detection quarantined several mailboxes despite full authentication. IoCs (typosquat and legitimate domains, sender/reply-to, ESP MTA, sending IP, Pardot tracking and redirect target) and MITRE mappings are provided, and the report recommends close inspection of sending domains and reply-to addresses even when authentication passes.