The .pro Domain That Built a Perfect M365 Tenant Just to Send One Google Docs Link

A phishing campaign used a purpose-built Microsoft 365 tenant on the domain nordicaigrowth.pro that passed SPF/DKIM/DMARC to appear legitimate, delivered a single Google Docs link for likely credential harvesting, and employed social engineering (fabricated In-Reply-To header) plus a geographic routing mismatch between client proxy and mailbox region; behavioral detection (Themis) flagged the message at 84% confidence and quarantined three mailboxes. Indicators provided include the sending domain, sender address, DKIM selector, mailbox server, client proxy, and payload URL.