Purpose-Built Look-Alike Sending Domain Passes Full Authentication to Impersonate Training Brand

A targeted brand-impersonation phishing campaign sent authenticated webinar invitations using purpose-built look-alike domains (trainingadvantagesending.com and trainingadvantage-mail.com) that mimicked Aurora Training Advantage and matched a known contact's display name; embedded click-tracking URLs routed to a legitimate Eventbrite page to confirm active mailboxes and collect engagement metadata. The attacker-controlled infrastructure passed SPF/DKIM/DMARC with a Microsoft compauth=100 score and used long-lived domains and proper DNS records to evade legacy gateway checks, while behavioral detection (IRONSCALES) quarantined the messages.