FinTech AccessPay Exposed Internal Email Infrastructure Data for Years

March 19, 2026

A UK-based payment platform had been sending DMARC reports to an unregistered domain - exposing internal email infrastructure data for years. After repeated failed deliveries, we registered the domain to prevent abuse. But a threat actor could have done the same and quietly collected insights into sending sources, traffic patterns, and authentication results. This wasn’t just a misconfiguration - it was a lack of monitoring and DNS hygiene.

Email Security
Email Security
2
min read
FinTech AccessPay Exposed Internal Email Infrastructure Data for Years

A UK-based payment platform, integrated with over 16,000 banks and backed by Mastercard and Barclays, has been sending DMARC reports to an exposed email endpoint.

After several months of unsuccessful reporting, we registered accessspay[.]com to prevent potential data exposure. The issue is not just AccessPay not monitoring their DMARC reports for spoofing & phishing incidents, but that reports were directed to a domain that could’ve been registered by a threat actor to map infrastructure, access communication patterns, recipient data, and traffic volumes.

We never enabled mailboxes for accessspay[.]com, but it’s highly likely an accept-all inbox could have received a large volume of customer communications.

The last DMARC update appears to have been in early 2024, suggesting there isn’t even an annual DNS audit in place that would reveal further issues.

No matter the size of your organization, whitelisting exposed servers in DNS is not a good practice and can definitely have consequences.


Update: a few hours ago, AccessPay silently updated their DMARC policy, removing the exposed reporting endpoint from the RUA tag, leaving the organization blind to email security incidents.

DMARC
Emailsecurity
Cybersecurity
Related posts
All posts
Coordinated Subdomain Takeover Campaign Targeting US Universities

Attackers are hijacking abandoned .edu subdomains via orphaned CNAME records, serving spam under trusted university domains and exploiting SEO authority.

Coordinated Subdomain Takeover Campaign Targeting US Universities
Email Security
Cloudflare's DMARC Documentation Exposed an Unregistered Domain And Dozens of Organizations Paid the Price

How an unregistered domain in Cloudflare's DMARC documentation silently exposed infrastructure data from dozens of organizations.

Cloudflare's DMARC Documentation Exposed an Unregistered Domain And Dozens of Organizations Paid the Price
Email Security
FinTech AccessPay Exposed Internal Email Infrastructure Data for Years

A misconfigured DMARC record sent sensitive email infrastructure data to an unregistered domain, creating a long-term exposure risk.

FinTech AccessPay Exposed Internal Email Infrastructure Data for Years
Email Security