A professor at a regional public university received an email from a sender they had never seen before. The display name was a common English-language name. The subject line directed them to save a PDF for their bookkeeping records. The body was short: a billing statement reference, a date, and a US helpline number. The message included a Spanish-language privacy-policy block near the footer.
The sending account was registered in 2003. SPF passed. DKIM passed. The PDF scanned clean. Nothing flagged.
The attack is a textbook example of callback phishing: a technique where the email itself carries no weaponized payload and every scanner clears it. The damage happens if the recipient dials the number and hands control to whoever answers.
The domain behind this message was a real Colombian school, active since 2003, running on Google Workspace. WHOIS showed a legitimate GoDaddy registration with live nameservers. The domain resolved to the institution's public website.
This is why the authentication came back clean. SPF passed because the message was genuinely sent from Google mail servers authorized for that domain. DKIM passed, signed by a Google-generated DKIM selector tied to the school's domain. DMARC returned a best-guess pass, meaning the domain lacked a strict enforcement policy but the signatures aligned well enough to clear the check.
The source IP in the headers was 43.128.89.202, a cloud infrastructure address that also appeared in the SMTP authentication handshake, suggesting the compromised account was accessed programmatically. The attacker used the school's own Google Workspace SMTP path to inject the message, which is why everything downstream authenticated cleanly.
An aged legitimate domain on a major cloud mail provider is a significant advantage for this kind of attack. Reputation systems score the domain well. IP blocklists don't catch it. The first-time-sender signal is the only structural anomaly visible at delivery time.
The attachment was a 34KB PDF. Its file hash was not flagged by any scanner. No embedded links. No JavaScript. No AcroForm fields. No executable content. The scanner verdict was clean, and nothing in the attachment metadata contradicted that.
The entire payload was a US callback number and a billing statement pretext. The subject line called out the file explicitly: save this transaction record for your bookkeeping. The body echoed the same directive: here is your billing statement, call the helpline if needed.
PDF scanners inspect files for structures that can deliver code or redirect browsers. A text-only PDF with a phone number gives them nothing to flag. The number itself is an out-of-band channel that bypasses every technical inspection layer entirely. That gap is the design principle behind the broader vishing and callback-phishing category: move the attack to a channel that email security tools cannot inspect.
One detail that stands out: the area code in the callback number is not a currently assigned NANP area code. That suggests the number was set up specifically for this campaign rather than pulled from any real business's contact directory.
Authentication passed, and the PDF was clean. What the system could assess was the behavioral layer.
The display name was a common English-language name. The mailbox local-part was a Spanish-language name consistent with the Colombian institution. The two did not match. That kind of display-name mismatch, a name that does not correspond to any plausible owner of the sending mailbox, is a common signal in compromised-account attacks. The attacker set whatever display name they wanted; the underlying mailbox tells a different story.
The recipient had never received anything from this sender before. First-time sender status alone is not conclusive, but combined with the display-name inconsistency and the out-of-character content (a billing statement and US helpline from a Colombian school), the combination is notable.
The message also carried an institutional mismatch: a US phone number presented as a helpline from an account on a Colombian educational domain. Legitimate billing communications from any institution do not route through a foreign school's mailbox. That context gap is the kind of signal social engineering detection looks for when the technical indicators are clean.
MITRE ATT&CK maps this to two techniques. Phishing: Spearphishing Attachment covers the delivery of a file-based lure designed to direct the recipient toward an out-of-band contact. User Execution: Malicious File covers the expected next step: the recipient opens the PDF, sees the number, and calls it.
A secure email gateway inspects what it can inspect. It scans links against blocklists and sandboxes attachments for malicious behavior. When the attachment is a clean PDF with no links and the sending domain is a 22-year-old institutional domain with valid Google authentication, the gateway's technical inspection finds nothing.
The category of attacks that exploit this gap is well-documented. Threat actors use callback lures specifically because the phone call is the payload, not the email. Once the recipient dials, the attacker controls the interaction: they can impersonate a billing support agent, request remote access, demand credential verification, or instruct the recipient to purchase gift cards. None of that is inspectable at the inbox.
| Type | Indicator | Context |
|---|---|---|
| Domain | [a compromised school domain] | Compromised sending domain, a Latin American school, registered 2003, Google Workspace |
| Phone | +1 (983) 220-2855 | Callback number embedded in PDF; 983 is not a currently assigned NANP area code |
| File | "Kindly save_ transaction record related to Token_pdf for your bookkeeping.pdf" | PDF attachment, 34KB, SHA1 7a97093cf901c2d4a91ec8f319351f97, scanner verdict clean |
| Auth | SPF pass, DKIM pass, DMARC bestguesspass | Genuine authentication on compromised legitimate account |
| Behavior | Display name mismatch | English-language display name on Spanish-language mailbox local-part |
| Behavior | First-time sender | No prior relationship between this mailbox and the recipient |
When every technical control clears a message, the residual signal lives in behavioral context. A PDF that contains nothing but a phone number is not a normal billing document. A helpline number on a message from a foreign educational institution is not a match. A display name that does not correspond to the mailbox sending it is worth a second look.
The industry data on this attack type is consistent. The FBI IC3 2024 report documents phone-based fraud as one of the highest-loss categories, and callback-phishing campaigns targeting businesses have grown as attackers look for techniques that cleanly bypass automated inspection. CISA guidance on phishing reinforces the core response: verify any billing claim or support contact through a channel you established independently, not through anything provided in the incoming email.
See Your Risk: Calculate how many threats your SEG is missing
The sending domain was legitimate. The PDF was clean. The authentication was real. The only thing wrong with this message was that a professor at a regional public university had no reason to receive a billing statement from a Colombian school's mailbox with a US helpline attached. That judgment cannot be made by a content scanner. It requires knowing what normal looks like for the recipient.
| Attack | What happened |
|---|---|
| The Invoice That Never Existed: Geek Squad TOAD via a Blank-Extension JPEG | A throwaway Hotmail account delivered a fake $559.47 Geek Squad invoice as a JPEG with no file extension. |
| No Link, No Attachment: A NortonLifeLock Callback Campaign That Relied on a Phone Number Alone | A mass-distributed NortonLifeLock invoice lure carried no links and no attachments. |
| Microsoft Delivered It. The Payload Was a Fake PayPal Phone Number. | An attacker sent a Microsoft Teams guest invitation from Microsoft's own notification infrastructure. |
| A Fake Scotiabank Voicemail Was Actually an HTML File Asking You to Call an Attacker | A Scotiabank-branded Interac e-Transfer alert carried an attachment disguised as a voicemail MP3. |
| Sign Here, Get Phished: Inside an Adobe Sign Lure With a Multi-Hop Redirect to Credential Theft | An Adobe Sign e-signature lure routed recipients through a multi-hop redirect chain ending at fameklinik[.]com. |