Forged Healthcare Sender, Two-Hop SaaS Redirect: How a Fake Invoice Opens a Phishing Chain
ID: 18ab22a9-61fa-5f03-b9a0-897fb871ef7c
STIX ID: report--18ab22a9-61fa-5f03-b9a0-897fb871ef7c
Feed Name: IRONSCALES
An email impersonating a decades-old healthcare provider contained an "Open document" CTA that routed through legitimate SaaS open-redirects (holabrief.com with a saferedirect to loopedin.io) to a credential-harvesting destination; DKIM failed and DMARC applied quarantine but gateway allow-lists and SPF softfails allowed delivery to recipients. Behavioral AI flagged the message at 82% confidence based on first-contact sender history, broken authentication, and an inconsistent redirect chain; indicators provided include the CTA URL, domains, originating IP 139.138.34.191, and auth result (dkim=fail; dmarc=fail action=quarantine).
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
