The "REVIEW DOCUMENT" button looked like every other vendor proposal notification. Bold white text on a colored background, centered in the email body, linking to a Box.com shared file. The difference: the button was a PNG image, not an HTML element. The URL it carried existed nowhere in the email's text. And the recipient was not listed in the To header at all.
This credential harvesting attempt combined three evasion techniques that individually are well-documented but together created a detection gap that most email security stacks are not built to close. An image-only call-to-action hid the link from URL scanners. A Box.com share URL inherited the trust of a platform on most corporate allowlists. And BCC delivery masked who actually received the message.
The email contained two inline image attachments: image005.png (59,984 bytes) and image006.png (82,836 bytes). One of these rendered as the "REVIEW DOCUMENT" button. The hyperlink to hxxps://app[.]box[.]com/s/kz3p43jgc7b4tlvbc29tng68oie7k2kb was attached to the image element, not embedded as visible HTML anchor text.
This distinction matters. Most email security gateways extract URLs by parsing the text and HTML body for anchor tags, href attributes, and plain-text links. According to the 2026 Verizon Data Breach Investigations Report, phishing remains the initial access vector in 16% of confirmed breaches, and the report's gateway telemetry shows that 80% of malicious emails reaching gateways are plain phishing with embedded links. That telemetry relies on text-extractable URLs. When the link lives only in an image's clickable region, the scanning engine has nothing to evaluate.
The scanner returned "clean" on every link it could find. The links it found were the sender's business website, a Google Plus page, and a Facebook page, all legitimate. The Box.com URL was invisible to text-based extraction. The image files themselves scanned clean because they were standard PNG bitmaps, not executable payloads.
CISA's phishing guidance warns organizations to inspect links before clicking. That advice assumes the link is inspectable. Image-only CTAs remove that option for both humans (who see a button, not a URL) and machines (which parse text, not rendered pixels).
The email's To header listed the sender's own address rather than the recipient's. The actual recipient, an employee at a mid-size manufacturing firm, appeared only in the SMTP envelope, not in any visible header field. This is classic BCC distribution, and it serves two purposes.
First, it hides the scale of the campaign. A security analyst reviewing the email sees a message addressed to the sender, which reads as a self-copy or a forwarded note. There is no visible recipient list to flag as suspicious mass distribution.
Second, it complicates automated correlation. SEG augmentation tools and threat intelligence feeds often cluster incidents by shared recipients or To-header patterns. BCC delivery breaks that clustering because each recipient appears to have received a unique, unrelated message.
The Microsoft Digital Defense Report 2024 documented a sustained increase in identity-based attacks leveraging legitimate infrastructure and delivery obfuscation. BCC routing is one of the simplest obfuscation methods available, and it remains effective because most detection logic prioritizes header analysis over envelope inspection.
See Your Risk: Calculate how many threats your SEG is missing
SPF passed. ARC passed. DMARC returned "bestguesspass," a result issued when the sending domain has no published DMARC record and the receiving system infers alignment from SPF alone. The message routed through Microsoft O365 infrastructure (outlook[.]office365[.]com, protection[.]outlook[.]com), which is as trusted as sending infrastructure gets.
The sending domain, registered to a small commercial services company, was a legitimate business with a website, phone numbers, and social media presence. The domain was not newly registered. The SPF record was properly configured. Nothing about the authentication chain indicated compromise or spoofing.
This is the trusted-platform problem in its purest form. According to the FBI IC3 2024 Annual Report, BEC and related social engineering losses exceeded $2.9 billion. Many of these campaigns succeed specifically because the sending infrastructure passes every authentication check. The attacker does not need to forge anything. They need a real mailbox, a real domain, and a real cloud share URL.
With the URL invisible to scanners, authentication clean, and the recipient hidden in BCC, the remaining detection surface was behavioral. IRONSCALES Adaptive AI identified several converging signals. The sender had never contacted the recipient before. The image-to-text ratio was anomalous: the email body consisted almost entirely of rendered images with minimal surrounding text. The To-header mismatch (sender addressing themselves while delivering to a third party) flagged BCC distribution patterns that correlate with bulk phishing campaigns.
The IBM Cost of a Data Breach Report 2024 found that organizations using AI-driven security saved an average of $2.2 million per breach. The value is clearest in cases like this, where individual signals (clean authentication, trusted platform, clean file scan) all indicate legitimacy, and only the convergence of behavioral anomalies reveals the threat.
href attributes on img tags and inline image map areas.| Type | Value | Context |
|---|---|---|
| Sender Pattern | First-time sender, small commercial services domain | BCC delivery, SPF pass, no prior relationship with recipient |
| Box Share URL | hxxps://app[.]box[.]com/s/kz3p43jgc7b4tlvbc29tng68oie7k2kb | Image-only CTA destination, wrapped by SafeLinks |
| Image Attachment | image005.png (59,984 bytes) | Inline image, scanned clean |
| Image Attachment | image006.png (82,836 bytes) | Inline image, rendered as CTA button |
| Mail Infrastructure | outlook[.]office365[.]com | Microsoft O365 sending infrastructure |
| Mail Infrastructure | protection[.]outlook[.]com | Microsoft EOP relay |
| Auth Result | SPF=pass, ARC=pass, DMARC=bestguesspass | Full authentication pass |
| Header Anomaly | To header lists sender's own address | Actual delivery via BCC, recipient not in visible headers |
### MITRE ATT&CK Mapping
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Delivery via image-embedded link to Box.com share |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Vendor proposal impersonation, legitimate business identity |
| Stage Capabilities: Link Target | T1608.005 | Malicious content staged on trusted Box.com platform |
| User Execution: Malicious Link | T1204.001 | Victim must click image CTA to reach hosted payload |