The Zoho Invoice That Was Four Months Late (And Kept Its Receipts on Google Drive)

A targeted phishing email impersonating a Zoho Books invoice for a drone services vendor arrived months after its invoice date; while the payment button pointed to legitimate Zoho payment infrastructure, an anomalous Google Drive folder link included below the invoice is identified as the likely credential-harvesting payload. The message showed authentication degradation after transiting a Barracuda gateway (SPF softfail, DKIM fail, DMARC fail) and was flagged by Themis/IRONSCALES based on correlated behavioral and authentication anomalies.