Overview A $12 domain, 72 hours of patience, and a perfectly cloned Microsoft 365 login page — that’s all it took for attackers to bypass every email authentication check and land in corporate inboxes. The campaign passed SPF, DKIM, and DMARC flawlessly, proving a critical truth: authentication tells you who sent the email, not where the link goes.
While traditional gateways waved the message through, CyberCheck360 detected the threat at the click, closing the visibility gap that authentication and reputation filters can’t see.
Why Authentication Failed to Stop It
| Protocol | Purpose | Limitation |
|---|---|---|
| SPF | Verifies sending IP authorization via DNS TXT records | Validates infrastructure, not intent |
| DKIM | Confirms message integrity with cryptographic signature | Ensures no tampering, not truthfulness |
| DMARC | Aligns visible From domain with SPF/DKIM domains | Enforces identity, not destination safety |
Attackers simply registered a legitimate domain, configured SPF/DKIM/DMARC correctly, and sent emails from reputable infrastructure. The payload link pointed to a malicious page hosted elsewhere — a blind spot authentication was never built to cover.
The Attack Lifecycle
Day 1: Domain registered (sharepoint‑invoice‑view[.]com) and TLS certificate issued from a free CA. Day 2: Phishing emails sent to finance teams with “View Invoice” links. Day 3: Credentials harvested and session tokens exfiltrated in real time. Day 4: Domain abandoned before any blocklist update detects it.
| Stage | Gateway Verdict | Reality |
|---|---|---|
| SPF/DKIM/DMARC | ✅ Pass | Sender authenticated |
| URL Reputation | ⚪ Neutral | Domain too new for blocklists |
| Delivery | 📩 Inbox | No policy violation |
| Click | ⚠️ Compromise | Credentials stolen instantly |
This is not a zero‑day exploit — it’s a design gap in email security architecture.
Detection at the Click — CyberCheck360’s Approach
CyberCheck360 detects malicious links at the moment of access, using three independent layers that don’t depend on prior threat reports:
- Real‑Time Reputation Lookup Aggregates multiple open‑source and commercial feeds to catch known‑bad infrastructure.
- Domain‑Age Interrogation Queries WHOIS/RDAP and TLS issuance dates at click time. A six‑day‑old domain serving a login form is a high‑signal anomaly — the blind spot no blocklist can see.
- Page‑Content Analysis Reads the page itself — logos, layout, favicon, DOM structure — and cross‑references branding against the hosting domain. A Microsoft‑branded login served from
xz‑cdn‑44871[.]web[.]appis caught instantly.
How CyberCheck360 Implements It
| Tool | Functionality |
|---|---|
| Browser Extension | Runs all three checks passively at every click — no user prompt required. |
| Outlook Add‑On | Enables pre‑click triage and sandboxed detonation inside cloud containers. |
| Gmail Add‑On | Mirrors the same workflow for Google Workspace users. |
| Manual Link Checker | Zero‑installation verification for one‑off URLs. |
Sandboxed Detonation executes the link in an isolated cloud browser, observing redirect chains and payload behaviour without touching the endpoint.
The AiTM Caveat
Adversary‑in‑the‑Middle (AiTM) frameworks like Evilginx proxy the real login page in real time, making content authentic. CyberCheck360 still flags these attacks via domain‑age detection and brand‑vs‑host mismatch, catching the proxy infrastructure before session tokens are stolen.
“Everything before the click is a probabilistic filter,” said Vinodh Kumar Balaraman, Founder of CyberCheck360. “We built detection that runs at the deterministic layer — on the actual content being served, at the moment of access.”
Expert in the Cloud Insight
This attack proves that authentication is not security. SPF, DKIM, and DMARC validate identity — not intent. Modern defense requires real‑time content inspection and domain‑age awareness to catch the $12 phishing domain before it harvests credentials.
CyberCheck360 closes the gap your gateway can’t see — detecting at the click, on the content, in real time.
Leave a Reply