The Datadog Alert That Came From the Wrong Domain: Authenticated Brand Impersonation With All Links Pointing to Real Infrastructure

**Executive Summary:** A spear-phishing email impersonated Datadog using the lookalike domain dtdg.co that passed SPF/DKIM/DMARC and sent via SendGrid; all action links resolved to the legitimate app.datadoghq.com and the message contained an open-tracking pixel, while WHOIS records for the domain showed no public registrant. The report provides IOCs (sending domain, sender address, sending IP, SPF/DKIM selector, SendGrid subdomain), maps the attack to MITRE techniques (domain acquisition, spearphishing link, masquerading), and assesses the tactic as medium risk because the message builds trust for likely future malicious follow-ups despite lacking immediate credential harvesting or malware.