The Password Expiry Email That Hid Its Destination in a Base64 Fragment

A targeted phishing campaign impersonating a Microsoft 365 password-expiry notice used an Amazon SES-sent message from a law-firm domain, a shortener redirect that carried a Base64-encoded fragment pointing to a Shopify-hosted credential-harvesting kit (with the recipient's email embedded in the path), and zero-width Unicode in the CTA to evade filters; IRONSCALES' Adaptive AI behavioral correlation flagged and quarantined the message. The report enumerates IOCs, explains why fragment-based redirects bypass many scanners, and recommends browser-executing URL scanning and DMARC enforcement.