A Fully Authenticated Bank Alert Hides Its Payload in a Phone Number

A high-severity phishing campaign impersonated a major U.S. bank's password-change notification and bypassed SPF/DKIM/DMARC and Microsoft compauth=100 by using a callback phone number as the sole malicious vector; IRONSCALES detected it through behavioral signals (first-time sender, cross-mailbox hits, urgency/action mismatch). The report includes IoCs (sender address [email protected], phone (866) 475-0729, sending IP 205.220.177.171, X-Mailer 'Fifth Third Notification System'), maps the attack to MITRE techniques (vishing and phishing for information), and recommends treating callback numbers as untrusted, flagging first-time automated senders, correlating across mailboxes, user vishing training, and deploying behavioral detection.