logo

Forged Healthcare Sender, Two-Hop SaaS Redirect: How a Fake Invoice Opens a Phishing Chain

ID: 18ab22a9-61fa-5f03-b9a0-897fb871ef7c

STIX ID: report--18ab22a9-61fa-5f03-b9a0-897fb871ef7c

Feed Name: IRONSCALES

Threat Score
70/100

Date Published: 2026-06-27

Date Updated: 2026-06-27

Author: [email protected] (Audian Paxson)

...
...

An email impersonating a decades-old healthcare provider contained an "Open document" CTA that routed through legitimate SaaS open-redirects (holabrief.com with a saferedirect to loopedin.io) to a credential-harvesting destination; DKIM failed and DMARC applied quarantine but gateway allow-lists and SPF softfails allowed delivery to recipients. Behavioral AI flagged the message at 82% confidence based on first-contact sender history, broken authentication, and an inconsistent redirect chain; indicators provided include the CTA URL, domains, originating IP 139.138.34.191, and auth result (dkim=fail; dmarc=fail action=quarantine).

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.