Incident ReportsIR

IR-2025-003

MED

Phishing — LOTS Platform Abuse with KYC Lure

FILED:Dec 2025

TAXONOMY:T1566.002

Complexity:High

⏱ 5h containment

~6m read

TRUE POSITIVE — THREAT REMEDIATED

Threat actor abused a legitimate B2B document signing SaaS platform (LOTS pattern) to target two named employees with a KYC compliance lure impersonating a major professional services firm. The sending domain passes SPF/DKIM and reputation checks — detection relies entirely on content and behavioural analysis. RF Score 15 on attacker-controlled source IP. Both emails hard-deleted, zero clicks confirmed, no compromise.

PhishingLOTSSpearphishingEmail

Outcome

▸Both emails hard-deleted — zero user interactions confirmed

▸No compromise across either targeted recipient

▸SaaS platform legitimate functionality preserved — no disruptive domain block applied

Background & Context

Living Off Trusted Sites (LOTS) is an attack pattern in which threat actors abuse legitimate, reputable third-party platforms to deliver malicious content — exploiting the trusted sender reputation of the platform to bypass email security filters. In this incident, the attacker registered an account on a legitimate B2B document signing SaaS service and used it to send a fraudulent KYC (Know Your Customer) document request to named employees.

The LOTS technique is particularly effective because the sending domain is genuinely legitimate: it passes SPF, DKIM, and DMARC authentication checks, and its IP reputation is clean. Traditional email reputation filters will not flag it. Detection depends entirely on content analysis, user reporting, and the ability to separate the platform's identity from the attacker's identity behind it.

This incident is the second against the same client within six days, following IR-2025-001. The two-employee targeting and the use of named employees' details indicates the attacker conducted OSINT reconnaissance on the organisation prior to the attack — likely sourcing names and email addresses from public professional networking profiles or the company website.

Triage Thought Process

01Sender domain is legitimate but this is not exculpatory. In a LOTS attack, the platform's sending domain is clean by design. The question is whether the account using the platform is malicious, not whether the platform itself is.

02Extract the Participant field from the email headers. The notification sender is the platform's standard address, but the 'From' participant behind it was an external PEC address (Italian certified email) — this is the attacker's identity.

03RF Score 15 on the source IP. This is the attacker's infrastructure used to create the SaaS account, not the platform's sending IP. Separating these two IPs is a critical LOTS analysis step.

04Unique tracking tokens in the URLs are a targeting indicator. Each recipient received a different token — allows the attacker to confirm which email address is active and engaged. This is targeted behaviour, not bulk delivery.

05Two named employees targeted. The attacker had prior directory knowledge of the client — likely from public professional networking profiles or website staff pages.

06Do NOT block the SaaS platform domain globally. This would disrupt legitimate use of a business-critical service. Log the specific attacker document URLs as indicators instead.

07Confirm with the client that no legitimate KYC request exists, then hard-delete and close.

Decision

True positive — LOTS spearphishing attack with targeted two-employee delivery. Contained via hard-delete. Platform domain preserved. Attacker infrastructure and document URLs logged as indicators.

Incident Timeline

10 Dec, ~09:55

Phishing email delivered to two user mailboxes via legitimate SaaS document signing platform sender domain

10 Dec, ~10:00

Alert: email reported by user as malware or phish — Microsoft Sentinel

10 Dec, ~10:05

Ticket opened, analyst assigned

10 Dec, ~10:10

Email header analysis: sender domain confirmed legitimate SaaS; participant identified as external attacker-controlled PEC address

10 Dec, ~10:15

Source IP enriched via Recorded Future: RF Score 15, US commercial data centre (ASN: AS23352)

10 Dec, ~10:20

All embedded URLs identified — unique per-recipient tracking tokens confirmed

10 Dec, ~10:30

Tenant-wide URL click report — zero clicks on all embedded links

10 Dec, ~10:35

Second recipient mailbox identified — both Network Message IDs extracted

10 Dec, ~10:40

Both emails hard-deleted via Network Message IDs

10 Dec, ~11:00

Client contact notified — confirmed no expected document request from this entity

10 Dec, ~15:00

Ticket closed — fully remediated, no compromise

Technical Analysis

The email appeared to originate from the platform's standard notification sending address — a legitimate domain that passes SPF/DKIM. However, the critical analytical step in LOTS investigation is extracting the Participant field from the email headers: the actual identity behind the notification. The participant was an external PEC address (Posta Elettronica Certificata — Italian certified email infrastructure). This is the attacker's controlled identity.

The source IP (50[.]31[.]156[.]XXX) returned an RF Score of 15 from Recorded Future — elevated, attributable to a US commercial data centre (ASN: AS23352). This IP represents the attacker's infrastructure used to register and operate the SaaS account, not the platform's own sending IP. Separating these two IPs is the defining analytical step in LOTS triage: the platform's IP will score clean, the attacker's infrastructure IP reveals the risk.

Each of the two targeted employees received an email with a unique per-recipient tracking token embedded in the document URL. This is a deliberate targeting mechanism that allows the attacker to confirm which email addresses are active and engaged — characteristic of targeted spearphishing rather than bulk delivery. The attacker had specific knowledge of at least two named employees' email addresses, consistent with prior OSINT activity.

The KYC pretext was well-constructed for the target sector. Energy and maritime organisations routinely engage in third-party due diligence processes involving document exchanges with professional services firms. The lure — impersonating a major professional services firm requesting KYC compliance documentation — exploits sector-specific workflows that employees are conditioned to treat as routine.

Both emails were hard-deleted via their individual Network Message IDs. The SaaS platform's domain was deliberately not blocked globally — doing so would have disrupted legitimate business use of a platform the client likely uses for genuine document workflows. Only the specific attacker document URLs were logged as indicators.

Environment

▸Microsoft Sentinel — Email Threat Protection

▸Microsoft 365 / Defender for Office 365

▸Recorded Future (threat enrichment)

Signals

▸User-reported email appearing to originate from legitimate SaaS document signing platform

▸Envelope sender: legitimate SaaS notification domain — passes SPF/DKIM (LOTS pattern)

▸Participant field: external PEC address (Italian certified email) — attacker-controlled identity

▸Source IP scored RF 15 — elevated, US commercial data centre (ASN: AS23352)

▸Unique per-recipient tracking tokens in embedded document URLs

▸Two named employees targeted — attacker had prior OSINT directory knowledge

What I Checked

▸Sender domain confirmed as legitimate SaaS notification address — not exculpatory in a LOTS attack

▸Participant field extracted: attacker-controlled external PEC address (Italian certified email)

▸Source IP enriched via Recorded Future: RF Score 15, US commercial data centre (ASN: AS23352)

▸All embedded URLs identified — SaaS document platform links with unique per-recipient tracking tokens

▸Tenant-wide URL click report — zero clicks on all embedded links

▸Second recipient mailbox identified — both Network Message IDs extracted for hard-deletion

▸Client confirmed: no legitimate KYC request from this entity

Actions Taken

▸Both emails hard-deleted via individual Network Message IDs — confirmed removed from primary and recoverable items

▸SaaS platform domain NOT globally blocked — would disrupt legitimate business use

▸Specific attacker document URLs logged as indicators

▸Client notified — confirmed no expected document request from this entity

▸Recommended client report malicious document to SaaS platform abuse team for account removal

Indicators of Compromise

Type	Indicator	Notes
Email Sender	app@[SaaS-PLATFORM-REDACTED][.]com	Legitimate platform abused — LOTS pattern, do NOT block globally
Participant	[REDACTED]@pec[.]com	Attacker-controlled Italian PEC address — real identity behind the notification
Source IP	50[.]31[.]156[.]XXX	RF Score: 15 — US commercial data centre (ASN: AS23352)
URL	hxxps://app[.]saas-platform[REDACTED][.]com/email/documents/[ID]/at/[TOKEN_1]	Attacker document — recipient 1 tracking token embedded
URL	hxxps://app[.]saas-platform[REDACTED][.]com/email/documents/[ID]/at/[TOKEN_2]	Attacker document — recipient 2 unique tracking token
Message IDs	[REDACTED_MESSAGE_ID] (×2)	Network Message IDs — M365 admin audit trail, both recipients

MITRE ATT&CK Mapping

Tactic	Technique	ID	Observed
Initial Access	Phishing: Spearphishing Link	T1566.002	Targeted two named employees — attacker had prior directory knowledge
Initial Access	Trusted Relationship Abuse / LOTS	T1199	Legitimate SaaS domain used to inherit email reputation and bypass filters
Reconnaissance	Gather Victim Identity Information	T1589	Two named employees targeted — implies prior OSINT reconnaissance
Collection	Phishing for Information	T1598	KYC lure designed to harvest corporate and personal compliance information

Detection Logic (KQL)

// Find both recipient mailboxes by sender domain
EmailEvents
| where SenderMailFromDomain contains "[saas-platform-redacted]"
| where Timestamp > ago(24h)
| project Timestamp, RecipientEmailAddress, NetworkMessageId, DeliveryAction, SenderIPv4

// Confirm zero clicks on both tracking token URLs
UrlClickEvents
| where Url contains "saas-platform-redacted"
| where Timestamp > ago(24h)
| project Timestamp, AccountUpn, Url, IsClickedThrough, ActionType

// Hunt for any other emails from the attacker PEC address across tenant
EmailEvents
| where SenderMailFromAddress contains "pec.com"
| where Timestamp > ago(7d)
| project Timestamp, RecipientEmailAddress, SenderMailFromAddress, Subject, DeliveryAction

Analyst NotesMuhammad Fezzan

Second phishing incident against the same client within six days — IR-2025-001 involved genuine phishing emails with a subsequent awareness campaign disclosure; this is a distinct targeted attack. The two-employee targeting and the PEC address indicate the attacker conducted prior research on the company.

RF Score of 15 on the source IP was a useful early indicator — the SaaS platform itself would score much higher, which is exactly why the attacker chose to route through it. Separating the platform's IP score from the attacker's infrastructure IP score is the key analytical step in LOTS investigations.

The KYC pretext is particularly potent in energy and maritime sectors where third-party due diligence is routine. This incident pattern (LOTS + business document pretext + targeted spearphishing) is increasing in frequency.

Lessons Learned

▸LOTS attacks bypass traditional reputation-based filtering — content analysis and detonation are the primary detection layers.

▸Separate the platform's IP score from the attacker's infrastructure IP — this is the critical LOTS analysis step.

▸Unique per-recipient tracking tokens indicate deliberate targeting — assess what employee information is publicly accessible.

▸Enable link detonation for all emails including those from trusted SaaS platforms.

▸KYC lure patterns should be explicitly covered in security awareness training for financial and professional services sectors.

Recommendations

R1Enable link detonation for all inbound emails including those from trusted SaaS platforms: LOTS attacks rely on the assumption that a trusted sender domain will exempt URLs from detonation. Ensure Safe Links is configured to detonate all URLs regardless of sender reputation.

R2Conduct an employee OSINT audit: assess what information about named employees is publicly accessible via company website, LinkedIn, and other professional directories. Limit the publicly accessible employee directory to reduce attacker reconnaissance surface.

R3Implement LOTS-specific detection rules in Sentinel: alert on emails where the sending domain is a known document platform but the participant/from address is a non-corporate external domain.

R4Include LOTS and KYC lure patterns in security awareness training: employees in energy/maritime sectors should be specifically trained to verify unexpected KYC requests via a secondary channel before engaging with any document link.

Related Incidents

IR-2025-001

Phishing Email Delivery — Genuine Threat

Same client, 6 days prior — second attack suggests sustained targeting

SIG

Case Certification

Muhammad Fezzan

SOC ANALYST

DIGITAL TIMESTAMP

DEC 2025 // REG-003-FS

← All incidentsCase anonymised