The Teams Invite That Came From the Wrong Domain: Display-Name Impersonation With All-Legitimate Links

A regional bank received a Microsoft Teams-style notification whose display name exactly matched an internal employee; the message contained legitimate Microsoft links and passed SPF/DKIM at the original M365 tenant (usafederal.onmicrosoft.com) before a Votiro CDR relay altered the body and broke downstream SPF/DKIM alignment. No credential forms, malicious URLs, or attachments were present — the attack leverages display-name impersonation and trusted notification formatting as reconnaissance to enable future social engineering, and traditional authentication/content controls can miss it. Indicators include the external sending domain usafederal.us, the sending tenant usafederal.onmicrosoft.com, the Votiro relay votiro-relay2.prod.votiro.com (44.206.222.91), and non-Microsoft branding assets on wixstatic.com.