TL;DR A phishing email impersonating Comcast warned of a suspended account and pushed the recipient toward a 'View Ticket' attachment. The sender was a domain registered months earlier with a randomized mailbox name, but the attacker had configured DKIM correctly so the message passed DKIM and DMARC, neutralizing authentication as a filter. The email body contained no clickable links at all, so URL reputation had nothing to evaluate. The single action was a PDF attachment that passed a surface scan and could not be deep-inspected. With every machine-checkable layer coming back clean, only behavioral errors gave it away: a randomized sender local-part, mismatched ticket numbers between the subject and body, and zero account personalization. IRONSCALES Themis flagged the message on those signals rather than on any malicious URL or failed authentication check.
Severity: Medium Brand Impersonation Credential Harvesting Attachment-Based Phishing MITRE: T1566.001 MITRE: T1656
The subject line did the shouting. #[Suspended:_49938050]Comcast:_January 19 2026 arrived stamped with the current date, the word "Suspended," and a recognizable brand. The body underneath it did almost nothing at all. One line: [View Ticket:_52593673 Attachment]. No paragraph of explanation, no account number, no service address, no greeting. Just a brand, a fear, and an attachment.
What is notable about this message is not a clever payload. It is how little there was for any automated control to examine. Every machine-checkable layer came back clean, and the attack still landed in the inbox.
The Sender Authenticated Perfectly
The message came from nafgkyehh[at]zendostudios[.]com, with the display name "Gacjd11." The domain zendostudios[.]com was registered on September 11, 2025, sat behind Cloudflare name servers, carried privacy-protected WHOIS, and is no longer serving a website. A randomized mailbox local-part on a recently created, anonymized domain is a textbook disposable-sender profile.
What makes this case instructive is that the attacker did the authentication homework. DKIM passed for zendostudios[.]com with a verified signature, and DMARC passed on an aligned header.from. SPF returned a PermError because of a malformed record, but a passing DKIM and DMARC are enough to clear the alignment bar most gateways enforce.
This is the part defenders consistently underweight. Authentication confirms that a domain owner really sent a message and that it was not tampered with in transit. It says nothing about whether that domain owner is trustworthy. An attacker who registers their own domain can publish flawless authentication records for it in minutes, which is how a phishing message earns a clean technical profile with no spoofing at all. The green checkmark on a brand-new domain is not reassurance. It is a question.
The Message Left the Filters Nothing to Verdict On
The email body had no clickable links. That is unusual enough to be a signal in itself, and it matters mechanically: URL reputation and link-rewriting engines work on the links present in a body, and here there were none to score.
See Your Risk: Calculate how many threats your SEG is missing
The single call to action, the "View Ticket" prompt, pointed at a PDF attachment named 63kom2comcast.as-n8kbq6client.pdf. That file passed a surface-level scan and returned a clean verdict on initial inspection, and its contents could not be deep-inspected to enumerate any embedded link or form. So the inbound checks had nothing to act on: authentication passed, there was no inline URL to evaluate, and the attachment scanned clean. Account-suspension lures using a recognizable brand typically aim at credential harvesting or a callback number, but what this message would have done on the next click cannot be confirmed from the evidence, precisely because the document never gave up its contents. That uncertainty is the attacker's advantage, not a gap in the write-up.
The Errors That Gave It Away
The attacker got the infrastructure right and the craft wrong. The subject line cited ticket 49938050. The body cited ticket 52593673. A real provider notification draws both numbers from the same record. There was no recipient name, no partial account or billing detail, and no branded header or signature, only a bracketed token and a date. The formatting itself, with its stray underscores and bracket clutter, reads like a template assembled by a tool rather than written by Comcast.
None of these are things a URL scanner or an authentication check would ever notice. They are visible only when you read the message as a human analyst would, against the question of whether this is how the impersonated brand actually communicates.
How It Was Caught
There was no malicious link verdict to trigger on, because there were no links in the body. There was no failed authentication to quarantine on, because the attacker's own domain passed DKIM and DMARC. There was no malicious-file verdict, because the attachment scanned clean. IRONSCALES Themis flagged the message on its behavior: a recognizable-brand impersonation carrying high urgency, sent from a newly registered domain with a randomized mailbox, personalized to no one, with its only action routed through an attachment and internally inconsistent reference numbers. The brand mismatch and the disposable-sender profile drove the flag, not any single technical indicator. The message was quarantined.
Stopping Authenticated Brand Lures With a Clean Surface
Treat domain age and authentication as separate questions. A passing DKIM or DMARC result on a domain registered days or weeks ago is a risk signal, not a clearance. Weight first-contact senders on freshly registered domains accordingly.
Do not let an attachment-only message inherit the body's clean bill of health. When a message has no inline links and its sole action is to open a document, body-level URL controls have nothing to evaluate. Detonate and deep-inspect attachments rather than passing them on a surface scan.
Read for brand-consistency tells. Mismatched reference numbers, missing account specifics, randomized sender addresses, and generic greetings are anomalies no infrastructure check evaluates. They are the signal when the technical layer comes back clean.
The MITRE ATT&CK framework classifies this as Spearphishing Attachment (T1566.001), and the attachment filename built to read as a Comcast support document maps to Masquerading: Match Legitimate Name or Location (T1656). The Verizon DBIR 2025 continues to rank phishing among the leading paths into an organization, and CISA guidance advises verifying any unexpected account-status notice through a channel you already trust rather than the message in front of you.
Perfect authentication, a recognizable brand, and an empty body pointing at a clean-scanning document. The infrastructure gave nothing away. The story did.
---
| Type | Indicator | Context |
|---|
| Sender domain | zendostudios[.]com | Registered 2025-09-11, Cloudflare NS, privacy-protected, now non-resolving; DKIM and DMARC pass, SPF PermError |
| Sender | nafgkyehh[at]zendostudios[.]com (display "Gacjd11") | Randomized local-part, disposable-sender profile |
| Attachment | 63kom2comcast.as-n8kbq6client.pdf | PDF carrying the sole call to action; clean on surface scan, contents not retrievable |
| File hash (SHA-256) | b78ad91646af586c5a3c9660c9388e4e | Attachment hash |
| Subject token | Ticket 49938050 ("Suspended" Comcast lure) | Does not match the body ticket number |
| Body token | [View Ticket:_52593673 Attachment] | Sole call to action; ticket ID conflicts with subject |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
