An Employment Verification Request That Passed DMARC REJECT, Then Sent Replies to Someone Else
ID: f54dc444-5548-5753-81c4-91cc2d016ebf
STIX ID: report--f54dc444-5548-5753-81c4-91cc2d016ebf
Feed Name: IRONSCALES
Attackers sent a spear-phishing employment verification email impersonating InformData using SendGrid infrastructure that passed SPF/DKIM/DMARC but linked to attacker-controlled domains (verify.zippedscript.com, verifying.you) to harvest credentials; IRONSCALES flagged the message, a recipient was identified as a VIP, and one mailbox was quarantined. The report includes IoCs (sender, reply-to, URLs, sending IP/hostname, DKIM selector, return-path), explains why DMARC enforcement did not prevent the attack (authorized sending infrastructure likely compromised or misconfigured), and maps the activity to relevant MITRE ATT&CK techniques.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
