The Authenticated Sender With a Malicious Spreadsheet and 20 Years of Domain History

The email passed every authentication check a gateway can run. SPF, DKIM, DMARC, ARC, composite authentication. All green. The sending domain has been registered since 2004 and belongs to a legitimate media production company. The body was one line: "Please see attached for your review." The attachment was a spreadsheet flagged MALICIOUS by the content scanner. Authentication confirmed the sender was authorized. It said nothing about what they were sending.

Twenty Years of Domain Trust, One Compromised Account

The sending domain belongs to a real company in the media production industry. It was registered in 2004, has been continuously active, and maintains properly configured email authentication. SPF included the authorized sending IPs. DKIM was signed and verified. DMARC aligned with a published policy. ARC headers preserved the authentication chain through relay. Microsoft's composite authentication returned a pass.

This is what makes compromised legitimate infrastructure dangerous. Reputation systems weight domain age, authentication history, and sending volume. A 20-year-old domain with clean records carries trust that a newly registered domain cannot replicate. When an attacker gains access to an account on that domain, they inherit all of that accumulated trust.

The sender had no prior communication history with the recipient. This was the only signal that static analysis could offer: a first-time sender from an otherwise trusted domain.

A Generic Lure With a Malicious Payload

The email body contained nothing beyond "Please see attached for your review." No context, no project name, no reference number. Two attachments were included. The first was a .xlsx spreadsheet named after the sending company, flagged MALICIOUS by the content scanner with SHA256 hash 5322d7ff4eabc94547227fe2a511cad3. The second was an image file used as an email signature block, which scanned clean.

The single-line body is a deliberate choice. It provides no content for text-based malware analysis to evaluate. There are no URLs to scan, no brand impersonation to detect, no urgency cues to flag. The entire attack surface is the attachment, and the attachment relied on the domain's authentication to reach the inbox before the scanner could intervene.

When the Scanner Catches What Authentication Cannot

The content scanner identified the .xlsx as malicious, which triggered quarantine. But the authentication stack had already voted to deliver: every check passed, every trust signal was green. In environments where scanner verdicts are weighed against authentication results, a domain with 20 years of clean history and full authentication could tip the balance toward delivery.

This is the fundamental limitation of authentication-based email security. SPF, DKIM, and DMARC answer one question: is this email authorized by the sending domain? They do not answer the question that matters: is this email safe? When a legitimate domain is compromised, those two questions have opposite answers.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping