logo

An Employment Verification Request That Passed DMARC REJECT, Then Sent Replies to Someone Else

ID: f54dc444-5548-5753-81c4-91cc2d016ebf

STIX ID: report--f54dc444-5548-5753-81c4-91cc2d016ebf

Feed Name: IRONSCALES

Threat Score
70/100

Date Published: 2026-06-14

Date Updated: 2026-06-14

Author: [email protected] (Audian Paxson)

...
...

Attackers sent a spear-phishing employment verification email impersonating InformData using SendGrid infrastructure that passed SPF/DKIM/DMARC but linked to attacker-controlled domains (verify.zippedscript.com, verifying.you) to harvest credentials; IRONSCALES flagged the message, a recipient was identified as a VIP, and one mailbox was quarantined. The report includes IoCs (sender, reply-to, URLs, sending IP/hostname, DKIM selector, return-path), explains why DMARC enforcement did not prevent the attack (authorized sending infrastructure likely compromised or misconfigured), and maps the activity to relevant MITRE ATT&CK techniques.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.