The .com That Wasn't the .org: TLD Confusion in a Payroll Email With an Empty Body

A phishing campaign impersonated Grid Alternatives by sending an empty email with the subject 'Annual Salary wages and Employer Provided Benefits' from the lookalike domain gridalternatives.com (registered 2006). The message contained a clean 9 KB ODT attachment (generated by Pandoc) with no macros or links; DKIM signed by a provisioned M365 tenant passed, SPF for the .com domain returned NONE, ARC passed at a Google hop, and the relay IP was 192.3.7.3 (ColoCrossing). The report concludes the attack relied on TLD confusion and a benign-looking attachment as a reconnaissance or trust-building step rather than an immediate technical exploit.