Four Domains, One Email: The DocuSign Homoglyph That Rode a CDR Allow-List

A targeted phishing campaign impersonating a bank used a homoglyph display name ('Vantage via D0cuSign'), four unrelated domains (From, Return-Path, Reply-To, X-Relaying-Domain), a Mailchimp redirect CTA, a MIME-mismatched image attachment, and a small ICS calendar invite to deliver a credential-harvesting link. Although SPF/DKIM/DMARC failed, the message was delivered because it transited a Votiro CDR relay (44.206.213.130) that was allow-listed, converting authentication failure into unconditional delivery; the report highlights IOCs, behavioral detection findings, and mitigation advice.