Three Domains, One CEO: How a Payroll Group BEC Used Mailjet to Bypass Every Filter

A targeted Business Email Compromise attack impersonated the organization’s CEO to request fraudulent payroll bank changes; the attacker used three separate domains (sending via mycomparateur.fr authenticated through Mailjet, a reply-capture domain exceeo.com, and the CEO’s name in the display field) and enabled Mailjet tracking. Although SPF and DKIM validated the sending domain, behavioral detection flagged the mismatch between the display name and actual sending infrastructure and quarantined the message before payroll could act.