NetSuite Sent the Invoice. Oracle Signed It. The Payment Token Was the Weapon.

An invoice-phishing campaign abused Oracle NetSuite/Oracle Email Delivery to send fully authenticated invoice emails linking to a legitimate QIMA payment portal pre-filled with a payment token; SPF/DKIM/DMARC all passed so behavioral analysis (Themis/IRONSCALES) flagged and quarantined four mailboxes, leaving open whether the NetSuite account was compromised or the invoice was fabricated within the platform.