The Contract Email That Wasn't Spelled the Way You Think: Unicode Homoglyphs, a QR Code, and a Marketing Gateway

**Executive Summary:** A high-severity phishing campaign used Unicode homoglyphs and zero-width joiners in the sender local-part to impersonate '[email protected]', passed SPF/DKIM/DMARC via Brevo's marketing relay, contained no inline links but a QR code to conceal the phishing destination, and included a 1x1 tracking pixel to confirm active mailboxes; behavioral signals (first-time sender, subject/body mismatch, QR-only CTA) led Themis to quarantine the message.