One Missing Letter, One Stolen Payment: A Reply-To Typosquat That Beat the Spam Score

An April 2026 invoice payment diversion (BEC) attempt used a one-letter typosquat Reply-To domain (leadsavingsofmissuori[.]com vs. leadsavingsofmissouri[.]com) plus an embedded malicious "Contact Us" link to redirect payment correspondence to attacker-controlled infrastructure; Microsoft assigned SCL=8 yet the message delivered until IRONSCALES' behavioral AI (Themis) detected the Reply-To mismatch and quarantined the email, illustrating how reputation-based filters and tenant allowlists can enable high-impact financial fraud despite high spam scores.