First Contact Domain: Why New Relationships Demand Higher Scrutiny

Every relationship starts somewhere. In email, that first message from an unknown sender represents both an opportunity and a risk — and attackers know that the moment of first contact is when defenses are weakest.

When a message arrives from a domain your organization has never interacted with before, something important is happening: a new trust boundary is being created. That boundary doesn't come with history, context, or behavioral baselines. It comes with nothing but the message itself — and whatever the sender claims to be.

Most email security systems treat this moment the same as any other. OpenEFA^® does not.

Why First Contact Is a Critical Moment

The majority of targeted email attacks begin with a first interaction. This is not a coincidence — it's a strategy.

Consider the attacker's challenge: they need to establish credibility with someone who has no reason to trust them. They can't rely on an existing relationship, a shared history, or a familiar conversation thread. They have one chance to appear legitimate enough to earn a response, a click, or an action.

This is why first-contact messages are disproportionately represented in:

Vendor impersonation attacks — posing as a new supplier, partner, or service provider
Executive spoofing — impersonating a senior leader the recipient hasn't corresponded with directly
Reconnaissance phishing — testing whether a recipient will engage before escalating the attack
Credential harvesting — sending fake login pages disguised as onboarding or account setup requests
Invoice fraud — submitting a fabricated invoice from a domain that closely mimics a real vendor

In each case, the attacker benefits from the same thing: the recipient has no prior experience with this sender. There is no baseline to compare against. There is no history that would make an inconsistency obvious.

What Makes a Domain "First Contact"

A first-contact domain is any sending domain that has no prior communication history with the recipient or the recipient's organization. OpenEFA tracks this at multiple levels:

Recipient-Level First Contact

The specific recipient has never received email from this domain before. This is the most granular level — even if other people in the organization have corresponded with the domain, this particular user has not. The message represents a new relationship for this individual.

Organization-Level First Contact

No one in the organization has ever received email from this domain. This is a stronger signal. It means the domain is entirely unknown to the business — there is no institutional familiarity, no shared context, no prior verification.

Domain Age and History

Beyond the relationship itself, the domain's own history matters. A first-contact message from a domain registered last week carries different risk than one from a domain that has been active for ten years. OpenEFA correlates first-contact status with domain age, registration patterns, and DNS infrastructure to build a more complete picture.

The Difference Between New and Suspicious

Not every first-contact domain is malicious. Businesses form new relationships constantly. A new vendor reaches out. A potential customer sends an inquiry. A recruiter contacts a hiring manager. A regulatory body issues a notification.

The challenge is distinguishing between these legitimate first contacts and the ones designed to exploit the absence of history.

OpenEFA approaches this by evaluating first-contact messages across multiple dimensions simultaneously:

Authentication Completeness

Does the sending domain have properly configured SPF, DKIM, and DMARC? Legitimate organizations — especially those initiating business relationships — overwhelmingly maintain complete authentication records. A first-contact domain with missing or misconfigured authentication is a compounding risk signal.

Domain Resemblance

Does the first-contact domain visually or structurally resemble a domain the organization already trusts? Attackers frequently register lookalike domains — swapping characters, adding hyphens, using alternative TLDs — to exploit the brief moment before the recipient notices the difference. A first-contact message from acme-corp.net when the organization has an existing relationship with acmecorp.com is a signal that demands attention.

Content Intent

What is the message asking for? A first-contact message that requests a wire transfer, demands credential entry, or pushes for immediate action is fundamentally different from one that introduces a service or asks a routine question. The combination of first contact and high-stakes intent is a powerful risk indicator.

Infrastructure Signals

Where is this email actually coming from? OpenEFA examines the sending infrastructure — mail server reputation, IP history, hosting patterns — to determine whether the domain's technical footprint is consistent with what it claims to be. A domain claiming to represent a major corporation but sending from a shared hosting provider is a meaningful inconsistency.

How Attackers Exploit the First-Contact Window

Sophisticated attackers understand the first-contact dynamic and design their campaigns around it. Several patterns are common:

The Warm-Up Sequence

Rather than leading with a malicious payload, the attacker sends an innocuous first message — a generic introduction, a scheduling request, or a simple question. If the recipient responds, a relationship has been established. The malicious request comes in message two or three, now carrying the credibility of an ongoing conversation.

The Authority Introduction

The attacker impersonates a senior executive or external authority figure. The first message references an internal project, a board decision, or a regulatory requirement. The recipient, unfamiliar with this particular sender but respectful of the claimed authority, complies without verifying.

The Vendor Pivot

The attacker monitors public information — job postings, press releases, LinkedIn activity — to identify when an organization is onboarding new vendors. They then impersonate that vendor, sending a first-contact message that aligns with the recipient's expectations. The timing makes the message feel anticipated rather than unexpected.

The Pretext of Referral

The attacker claims to have been referred by a mutual contact: "Sarah in your procurement team suggested I reach out." This manufactured social proof gives the first-contact message an artificial sense of legitimacy that can bypass casual scrutiny.

How OpenEFA Applies Elevated Scrutiny

When OpenEFA identifies a first-contact domain, it doesn't block the message by default. Instead, it applies a heightened evaluation framework that treats the absence of history as a risk factor to be weighed alongside other signals.

This means:

Scoring adjustments. First-contact status contributes to the message's overall risk score. On its own, it may not trigger an action. Combined with other signals — urgency language, financial requests, domain resemblance, authentication gaps — it can push a message past the threshold.
Signal amplification. Other signals detected in a first-contact message carry more weight than they would in a message from a known, trusted sender. A minor writing style anomaly in a message from a long-standing partner is less concerning than the same anomaly in a message from a domain the organization has never seen before.
Contextual tagging. Messages from first-contact domains are tagged with metadata that downstream systems and administrators can use for additional review, logging, or policy enforcement. This preserves organizational visibility without creating unnecessary friction for legitimate contacts.

Trust Is Earned, Not Assumed

The fundamental principle behind the First Contact Domain signal is simple: trust must be earned through consistent, verifiable behavior over time. It cannot be assumed based on a single message, no matter how legitimate that message appears.

This mirrors how trust works in every other domain of security. A new employee doesn't receive full system access on day one. A new vendor doesn't get payment terms before a contract is signed. A new application doesn't get network privileges before a security review.

Email should work the same way.

As a sender demonstrates consistent authentication, predictable behavior, and legitimate intent across multiple interactions, their trust level increases. OpenEFA tracks this progression, gradually reducing scrutiny as the relationship matures and the behavioral baseline solidifies.

This approach means that:

Genuinely new business contacts experience a brief period of elevated review, then quickly establish trust
Attackers who rely on a single first-contact message face maximum scrutiny at the moment they are most vulnerable to detection
Organizations gain visibility into the formation of new email relationships, rather than discovering them only after an incident

A Real-World Scenario

Consider this situation:

Recipient: Accounts Payable coordinator

Sender: billing@acme-solutions.net

Subject: "Updated Payment Instructions — Acme Solutions"

"Hi — we've recently updated our banking details due to a change in our payment processing provider. Please find the updated wire instructions attached. We'd appreciate if you could update your records before the next payment cycle. Let me know if you have any questions."

The message is polite, professional, and well-formatted. The domain passes SPF and DKIM. There are no malicious links. The attachment is a clean PDF.

But OpenEFA detects:

This is a first-contact domain — no one in the organization has ever received email from acme-solutions.net
The domain was registered 12 days ago
The domain name closely resembles acmesolutions.com, a known vendor in the organization's communication history
The message contains a financial request — updated banking details — in its very first interaction
There is implicit time pressure — "before the next payment cycle"

No single signal is definitive. Together, they form an unmistakable pattern: a newly registered lookalike domain, making a first-contact financial request with manufactured urgency. The message is flagged for review before it reaches the recipient's inbox.

The Broader Principle

First Contact Domain is part of the OpenEFA Signals framework — a set of behavioral and contextual patterns that reveal risk before it becomes an incident.

The core principle: the absence of history is itself a signal. When a message arrives from a domain with no relationship to the organization, every other signal in that message must be evaluated with greater care.

New relationships are inevitable. New relationships that arrive with financial requests, urgency, and lookalike domains are not coincidences — they are patterns that demand scrutiny.

OpenEFA provides that scrutiny automatically, so trust can be extended deliberately rather than exploited opportunistically.

← Back to Signals ← Back to Blog