The From address and the To address were identical. That is the first thing worth noticing about this phishing email, and it is the detail that separates a targeted lure from an automated distribution campaign.
A healthcare organization employee account sent a four-line email containing a generic greeting, an instruction to open the attachment, and the passcode SBA26 to unlock the file. Attached was a 90 KB encrypted PDF. The message passed SPF and DMARC. The relay chain traversed a Barracuda Secure Email Gateway into Microsoft 365 infrastructure. Every authentication check returned clean results. And the actual recipients, employees at an unrelated medical device manufacturer, appeared nowhere in the visible headers.
They were on BCC.
Most phishing analysis starts with the payload. This case is more interesting at the header level.
The sender, a first-time external contact using a compromised account at a regional healthcare organization, addressed the email to themselves. The To field contained only the sender address. Multiple recipients at the target organization received the message, but none of their addresses appeared in the headers. This is a BCC distribution pattern, and it tells you three things about the operation.
First, the attacker wanted to obscure scope. No single recipient could see who else received the message. In a targeted attack, the attacker picks one mailbox and crafts a pretext specific to that person. In a distribution campaign, the attacker needs efficiency: one composed message, many targets, minimal forensic footprint per recipient.
Second, the self-addressed To field prevents reply-all cascading. If a suspicious recipient hits "Reply All" to warn colleagues, the response goes only back to the compromised account, not to the other targets. The attacker controls that mailbox. Warning messages disappear.
Third, the pattern suggests automation. The passcode "SBA26" is short, alphanumeric, and formatted like a batch identifier rather than a security credential someone chose deliberately. Combined with the self-addressing pattern, this reads as a templated campaign, not a hand-crafted spear phish.
The FBI IC3 2024 Report documented over $2.9 billion in losses from business email compromise in 2024 alone. Compromised accounts in trusted industries like healthcare are a preferred launch platform because the domain reputation is already established.
The sending domain has been registered since 2000. It belongs to a legitimate regional hospital. The Barracuda outbound gateway at 209[.]222[.]82[.]177 is an authorized relay for the domain, and SPF records confirm it. DMARC passed with a p=quarantine policy. ARC signatures validated through multiple Microsoft hops. The relay chain is clean: healthcare org M365 tenant to Barracuda outbound to recipient M365 tenant.
This is what makes account compromise so effective as an attack vector. The infrastructure is not spoofed or newly registered. It is the real infrastructure for a real organization, and the attacker is simply borrowing it. Traditional authentication tells you "this message came from where it claims to come from," which is true. It just does not tell you whether the person controlling that account today is the same person who controlled it yesterday.
See Your Risk: Calculate how many threats your SEG is missing
MITRE ATT&CK maps this to Compromise Accounts: Email Accounts (T1586.002). The attacker acquired access to a legitimate email account and used its established reputation to deliver payloads that their own infrastructure could never deliver.
The attached PDF (92 KB, SHA256: f200050cde326d1527dbced1ffd8db2735f6c195df5bfb950603a70dd69976c7) is encrypted. Static analysis tools see the /Encrypt object and stop. No embedded JavaScript, no AcroForm fields, and no credential-harvesting keywords were found in the unencrypted metadata, but encryption prevented full content inspection.
The passcode "SBA26" was embedded directly in the email body. This is not a confidentiality measure. It is a scanner evasion technique mapped to Obfuscated Files: Encrypted/Encoded File (T1027.013). The human recipient gets the password. The automated scanner does not.
The Microsoft Digital Defense Report 2024 noted that encryption-based evasion is increasingly common in email-borne attacks because organizations cannot uniformly block encrypted attachments. Healthcare, legal, and financial services routinely exchange password-protected documents. Blocking them entirely would disrupt legitimate workflows.
What makes this case distinct from isolated encrypted PDF lures is the combination of the BCC distribution pattern with the encrypted payload. The attacker was not investing effort in a single high-value target. They were pushing an uninspectable file to as many recipients as possible while minimizing the chance that any one recipient could alert the others.
The email body contained four lines: a greeting, an instruction to open the attachment, the passcode, and a signature. No company letterhead. No project reference. No invoice number. No urgency language.
This minimal approach maps to Phishing: Spearphishing Attachment (T1566.001), though the BCC distribution makes "spear" a generous description. The brevity is intentional. A vague message from an unfamiliar sender at a healthcare organization is plausible enough in a medical device company where cross-organizational document sharing is routine. The less specific the pretext, the harder it is for a content-based scanner to find something explicitly malicious.
IRONSCALES behavioral analysis flagged the message by correlating multiple signals that no single scanner would catch in isolation: first-time sender, encrypted attachment paired with an inline passcode, and the anomalous self-addressed header pattern. Content analysis classified the message as phishing with high confidence. No single signal was definitive. The combination was.
| Type | Indicator | Context |
|---|---|---|
| Sender | [user]@sbamh[.]org | Compromised healthcare account |
| Relay IP | 209[.]222[.]82[.]177 | Barracuda ESS outbound gateway |
| Attachment | [Hospital Name]-encrypted[.]pdf | Encrypted PDF, 92,169 bytes |
| MD5 | e8ae0f2e3f15952a356964d338be8007 | Attachment hash |
| SHA256 | f200050cde326d1527dbced1ffd8db2735f6c195df5bfb950603a70dd69976c7 | Attachment hash |
| Passcode | SBA26 | Embedded in email body |
Flag any inbound email where the From and To addresses are identical and the message reaches recipients via BCC. This header pattern is uncommon in legitimate business correspondence and is a strong indicator of automated distribution from a compromised account.
For encrypted attachments paired with inline passwords, establish a verification protocol. Contact the purported sender through an independent channel (phone, internal directory, verified contact) before opening the file. Do not use the email itself to verify, as the attacker controls that mailbox.
Report encrypted PDF lures with inline passcodes to your security team immediately. The encryption prevents automated analysis, so human triage is the only way to assess whether the payload is benign or hostile.