ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Social Engineering • Vendor Agreement Scam • Redirect Links

The Agreement Was Ready. The Sender Wasn't.

A vendor agreement had supposedly been prepared for GEMXIT.

The email included a reference number, a compliance contact and a link to open the document.

There was just one problem.

It wasn't coming from GEMXIT.

It was coming from halloweenville.uk.

Discuss your environment Back to briefings
Agent Foskett investigation into a suspicious vendor agreement email and redirect link
Briefing summary

A suspicious vendor agreement email claimed to be acting on behalf of GEMXIT. The message contained a reference number, a compliance contact and a document link. But the sender domain, redirect URL and verification path all pointed somewhere else entirely.

Claimed to represent GEMXIT
Hidden redirect URL
Suspicious domain mismatch

What happened

The message did not need malware, attachments or a fake login page. It only needed the recipient to trust boring corporate paperwork.
The reference looked official The subject included a clean reference number, CDR-2026-114. It looked like routine vendor administration, which is exactly why it deserved attention.
The sender had no alignment The message claimed to be sent by gemxit.com, but the sender address was info@mg.halloweenville.uk. The claim and the infrastructure did not match.
The verification path was controlled The compliance address also used mg.halloweenville.uk. The supposed verification channel was controlled by the same suspicious domain as the sender.

The redirect that changed everything

The email said open the agreement. The URL showed a tracking-style redirect path.
vendor-agreement-redirect.txt
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
http://email.mg.halloweenville.uk/c/eJwkz79ugzAQ...
// visible text: Open
// claimed sender: gemxit.com
// real domain: mg.halloweenville.uk
// the document link was really a redirect path
The destination was disguised The button said Open, but the link pointed to a long encoded path under email.mg.halloweenville.uk rather than a trusted document platform.
The claim was inconsistent The email claimed to be sent by gemxit.com, yet every actionable path pointed back to the halloweenville.uk infrastructure.
The protocol was weak The link used plain HTTP. That is not what you expect from a legitimate agreement workflow or secure vendor process.

Agent Foskett moment

Everyone was meant to see a routine agreement. The better question was why the sender, link and compliance address all pointed to the same unrelated domain.
The agreement was the lure The phrase annual vendor process made the message sound routine, administrative and boring enough to slip past human suspicion.
The click was the prize A click confirms that the recipient saw the message, trusted the context and was willing to interact with the fake process.
The domain told the real story The sender claimed one identity, but the link, sender address and compliance mailbox all revealed another.
What it was not It was not a normal vendor agreement. It had no known vendor, no trusted document service and no verified GEMXIT-controlled sending path.
What it actually was A social engineering message designed to make a suspicious redirect feel like ordinary business administration.
Why it matters Many phishing emails do not look dramatic. Some succeed because they look like paperwork nobody wants to question.

What most environments miss

Security teams often search for attachments and malware. This kind of message is quieter.
Compliance can be a prop A compliance mailbox can make a message feel legitimate, but here it used the same suspicious domain as the sender.
Routine language has power Annual process, agreement and representative are all low-drama phrases designed to reduce suspicion.
Redirect links are evidence Long encoded redirect paths can reveal that the email is measuring interaction before sending the user somewhere else.

How defenders can investigate it

The message is simple, but the investigation should still compare identity, infrastructure and intent.
Review the sender identity Compare the claimed sender, visible From address, reply-to, return path, authentication results and any mismatch between brand and infrastructure.
Expand and inspect links Look for encoded redirect paths, non-HTTPS links, mismatched domains and URLs that do not point to recognised document platforms.
Hunt for similar messages Use email telemetry to find matching subjects, reference numbers, sender domains, compliance addresses, redirect hosts and repeated body text.

Related investigations

The Disney Email Wasn't From Disney A familiar brand can make a message feel safe until the sender, link and authentication details are reviewed. Read more →
The Invoice Wasn't An Email. It Was A Calendar Invite Attackers can use unexpected message types to bypass the assumptions people make about email threats. Read more →
The User Clicked Accept And Gave Away The Mailbox Some attacks do not need passwords when consent, trust and a convincing prompt are enough. Read more →
The Email Came From Me Sender identity can be misleading when display names, spoofing and authentication results are not reviewed together. Read more →
SpoofedDomain In EmailEvents Microsoft Defender email telemetry can help identify when a message is impersonating a trusted domain. Read more →
EmailEvents KQL Guide Learn how to investigate sender, recipient, delivery and authentication signals using Microsoft Defender XDR. Read more →
The email talked about an agreement.
The domain talked about deception.
Contact GEMXIT

Final thought

The first clue was not the reference number. It was the mismatch between the claimed sender and the infrastructure behind the message.
At GEMXIT We help organisations investigate suspicious email, Microsoft Defender XDR telemetry, sender authentication, social engineering patterns and identity compromise risk across Microsoft 365 environments. If you want to understand how this applies to your environment, see our Cyber Security services.
Agent Foskett mindset Do not only ask what the email says. Ask who really sent it, where the link actually goes, who controls the verification path and whether the infrastructure matches the claim.

The email claimed a vendor agreement had been prepared by gemxit.com. But the sender, compliance address and redirect URL all pointed to mg.halloweenville.uk. Explore related investigations including The Disney Email Wasn't From Disney, The Email Came From Me, and the EmailEvents KQL Guide.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

Vendor Agreement Scam Investigation

This Agent Foskett briefing explains how a suspicious vendor agreement email used social engineering, a domain mismatch, a compliance address and a redirect link to encourage recipient engagement.

Redirect Links In Phishing Emails

Redirect links can hide the real destination, measure interaction and make a suspicious document link appear more routine than it really is.

Social Engineering And Vendor Agreement Lures

Not every suspicious email immediately steals credentials or delivers malware. Some messages are designed to make routine business processes feel trustworthy enough to earn a click.