Containing a Lookalike-Domain Email Impersonation Attempt Targeting a Hong Kong-Based Precision Manufacturing Firm in June to July 2025
CHALLENGE
A “reply email” that wasn’t a reply — it was a set-up
The incident was reported when a customer received a suspicious email from a lookalike domain resembling the firm’s legitimate domain. The core concern was urgent and binary: was this an internal email compromise, or an external impersonation designed to steal funds?
A modern fraud pattern: pass authentication, still malicious
Email authentication checks (SPF/DKIM/DMARC) can still show “pass” if the attacker controls the sending domain — even when that domain is a lookalike created solely for fraud. That makes this type of incident dangerous: it can feel legitimate to recipients and even to some mail gateways.
SOLUTION
1) Source validation through email header analysis
Blackpanda compared the malicious message headers against known legitimate email headers. The malicious email showed indicators consistent with Zoho Mail as the sending platform, while the legitimate corporate email flow reflected Microsoft infrastructure — supporting the conclusion that the message did not originate from the customer’s legitimate email tenant.
2) Lookalike-domain intelligence and timing analysis
Blackpanda reviewed domain registration (WHOIS) records for the lookalike domain and found it was registered on the same day the malicious email was sent — strong evidence that the domain was created specifically for this campaign.
3) Fraud attachment artefact review
Blackpanda analysed the attachment metadata and found indicators the PDFs were generated using an iOS Quartz PDFContext workflow, with timestamps aligning to the campaign timeline — consistent with an attacker rapidly forging supporting documents to pressure a payment action.
4) Preventive hardening recommendations
Blackpanda provided a practical set of steps to reduce repeat risk, including: blocking lookalike domains at the email gateway, flagging newly registered domains, searching gateway logs for prior messages from lookalikes, and issuing internal advisories to staff and customer-facing teams.
RESULTS
1) Evidence-led conclusion: impersonation, not tenant compromise
Based on headers and sending infrastructure, Blackpanda found no indication the organisation’s internal environment was compromised in this incident. The evidence supported an external impersonation attempt using a lookalike domain.
2) A clearer fraud narrative for stakeholder action
The firm gained a defensible explanation it could use to brief internal teams and affected counterparties: what was sent, how it was made to look real, and why it was not a legitimate corporate email.
3) A concrete prevention checklist aligned to how the criminals operated
Rather than generic “be careful” advice, the recommendations targeted the attacker’s exact playbook: fast domain registration, spoofed reply styling, and forged payment documents.
FAQ: Lookalike domains, impersonation, and payment diversion
Q1. Was the corporate email environment compromised?
The investigation found no indication of internal compromise in this case; the evidence pointed to external impersonation using a lookalike domain and third-party mail infrastructure.
Q2. Why would SPF/DKIM/DMARC still pass on a malicious email?
Because authentication can validate that the sender is authorised to send for that domain. If criminals own and configure the lookalike domain correctly, those checks may still pass.
Q3. Why register a domain on the same day as the attack?
It’s common tradecraft for short-lived fraud campaigns: register, send, attempt payment diversion quickly, then abandon the domain.
Q4. What’s the fastest way to reduce repeat risk?
Block identified lookalike domains, flag newly registered domains at the email gateway, and proactively search gateway logs for any prior lookalike messages.
Q5. What should finance teams do when “bank details” change via email?
Use an out-of-band verification step (call-back to known numbers, dual approvals, payment hold periods) before changing payee details or executing transfers.
