The email passed every authentication check a gateway can run. SPF, DKIM, DMARC, ARC, composite authentication. All green. The sending domain has been registered since 2004 and belongs to a legitimate media production company. The body was one line: "Please see attached for your review." The attachment was a spreadsheet flagged MALICIOUS by the content scanner. Authentication confirmed the sender was authorized. It said nothing about what they were sending.
The sending domain belongs to a real company in the media production industry. It was registered in 2004, has been continuously active, and maintains properly configured email authentication. SPF included the authorized sending IPs. DKIM was signed and verified. DMARC aligned with a published policy. ARC headers preserved the authentication chain through relay. Microsoft's composite authentication returned a pass.
This is what makes compromised legitimate infrastructure dangerous. Reputation systems weight domain age, authentication history, and sending volume. A 20-year-old domain with clean records carries trust that a newly registered domain cannot replicate. When an attacker gains access to an account on that domain, they inherit all of that accumulated trust.
The sender had no prior communication history with the recipient. This was the only signal that static analysis could offer: a first-time sender from an otherwise trusted domain.
The email body contained nothing beyond "Please see attached for your review." No context, no project name, no reference number. Two attachments were included. The first was a .xlsx spreadsheet named after the sending company, flagged MALICIOUS by the content scanner with SHA256 hash 5322d7ff4eabc94547227fe2a511cad3. The second was an image file used as an email signature block, which scanned clean.
The single-line body is a deliberate choice. It provides no content for text-based malware analysis to evaluate. There are no URLs to scan, no brand impersonation to detect, no urgency cues to flag. The entire attack surface is the attachment, and the attachment relied on the domain's authentication to reach the inbox before the scanner could intervene.
The content scanner identified the .xlsx as malicious, which triggered quarantine. But the authentication stack had already voted to deliver: every check passed, every trust signal was green. In environments where scanner verdicts are weighed against authentication results, a domain with 20 years of clean history and full authentication could tip the balance toward delivery.
This is the fundamental limitation of authentication-based email security. SPF, DKIM, and DMARC answer one question: is this email authorized by the sending domain? They do not answer the question that matters: is this email safe? When a legitimate domain is compromised, those two questions have opposite answers.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender Domain | Legitimate media production company (est. 2004) | Compromised account, full auth pass |
| Auth Results | SPF: pass, DKIM: pass, DMARC: pass, ARC: pass, compauth: pass | Complete authentication chain |
| Attachment | .xlsx file (company-named) | Scanner verdict: MALICIOUS |
| Attachment Hash | SHA256: 5322d7ff4eabc94547227fe2a511cad3 | Malicious spreadsheet |
| Attachment 2 | Image file (email signature) | Scanner verdict: clean |
| Body | "Please see attached for your review." | Generic single-line lure |
| Sender History | First-time sender | No prior communication with recipient |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Attachment | T1566.001 | Malicious .xlsx delivered as email attachment |
| Valid Accounts | T1078 | Compromised account on legitimate 20-year-old domain |
| User Execution: Malicious File | T1204.002 | Requires victim to open malicious spreadsheet |
| Attack | What happened |
|---|---|
| The Tax PDF That Every Scanner Declared Clean (It Wasn't) | A tax-season PDF arrived from Gmail with no JavaScript, no links, no forms, and a clean verdict from every scanner. |
| The Warranty Form With a Windows Executable Hidden Inside a GIF | A legitimate UK food quality supplier sent a warranty renewal with a PDF, a DOCX, and several branding images. |
| The 454 KB HTML Attachment That Pretended to Be an Outlook Inbox | A compromised corporate email account at a food processing company sent a procurement follow-up with a 454 KB HTML attachment named after an Outlook inbox. |
| The Spreadsheet That Arrived Twice: CR/LF Filename Obfuscation and a Base64 Shadow Payload | A clinical data report arrived as a .xlsx with CR/LF control characters in the filename and a companion .b64 base64 payload. |
| The SOC Alert That Came From a Compromised FinTech: An Authenticated BlueVine Sender Delivering a Typosquat Link Buried in Operational Context | A fully authenticated email from bluevine.com impersonated an internal SOC quarantine notification. |