A Singapore-based educational institution had its Microsoft 365 environment compromised, and the attacker did not send a bulk spam blast. Instead, they identified an active email thread about a hotel reservation inquiry, inserted a reply that looked exactly like a continuation of that conversation, and shipped it to four mailboxes at a second educational organization with a malicious QR shortlink and a set of image attachments carrying embedded executable signatures.
The result: a message that passed every authentication layer and arrived inside a thread the recipients were already engaged with.
The subject line was "Re: Park Avenue Rochester - Reservation for Summer 2026." The sender display name matched the institution. SPF, DKIM, and DMARC all returned pass. The ARC chain was intact. Every technical trust signal told the receiving mail filter: this message is legitimate.
That is precisely the point of account takeover as a delivery vehicle. When an attacker controls a real, aged, trusted domain's mail infrastructure, they inherit every reputation and authentication advantage that domain has built. There is no spoofed sender to catch, no lookalike domain to blocklist, no forged header to flag.
MITRE ATT&CK T1078 (Valid Accounts) and T1566.001 (Spearphishing Attachment) both apply here. The account was already owned when this message was sent.
Alongside the thread-continuation text, the email contained a qrco[.]de shortlink: hxxps://qrco[.]de/bdbgjR. IRONSCALES threat intelligence returned a confirmed malicious verdict on that destination.
URL shorteners are a consistent attacker tool because they break the direct URL-to-reputation lookup that most secure email gateways (SEGs) and endpoint filters rely on. The shortlink itself may be unknown to blocklists at the moment the email is delivered. By the time a recipient clicks it and the redirect resolves, the filter has no second chance to intervene.
The Verizon 2026 Data Breach Investigations Report notes that 16% of breaches list phishing as the initial access vector, with link-based delivery accounting for a significant share of that. The qrco[.]de shortlink in this case is a textbook example of the method.
The email carried ten image attachments packaged as a multipart/related bundle: a mix of GIF and PNG files consistent with inline logo and social-icon assets. All ten returned a clean verdict from the attachment scanner at the time of analysis.
Deeper binary inspection of three of those files produced a finding worth examining. Two GIF files showed MZ magic-byte sequences at multiple non-standard offsets, including positions beyond the GIF 0x3B trailer byte where no image data should exist. A PNG file's binary stream contained an MZ header at a bitstream position consistent with appended data.
MZ is the signature for Windows portable executables. Finding it at post-trailer positions or at multiple embedded offsets in an image file is the forensic signal for a possible appended or injected payload. Whether those bytes constitute a detonatable executable requires controlled sandbox detonation that was not completed at the time the incident closed.
The finding should be treated as an indicator warranting isolation and further analysis, not a confirmed payload delivery. Security teams who encounter similar patterns should treat the full attachment set as suspect and route them through offline forensic tooling rather than opening them on production endpoints.
See Your Risk: Calculate how many threats your SEG is missing
Let's be precise about the detection gap here. The sending domain was authenticated. The thread context was real. The image files scanned clean. The shortlink was not yet listed. A gateway running signature-based or reputation-based detection had nothing to match against.
The Microsoft Digital Defense Report 2024 identified compromised legitimate accounts as one of the top initial access vectors across the threat landscape, precisely because they defeat the authentication controls that gateways use as their first filter line.
The IRONSCALES Adaptive AI platform flagged this incident with 90% confidence, quarantining messages across four mailboxes at the recipient institution. The detection came from behavioral signals: the sender-recipient relationship, the structural anomaly of a forwarded-thread payload, and the presence of a QR shortlink in an attachment-heavy educational email. Those are not signature matches; they are patterns that require a model trained on normal communication context to surface.
The defensive lesson from this case is not "block image attachments" or "block shortlinks." Both have legitimate uses in business email. The lesson is about detection architecture.
When an attacker operates from a valid account, the entire pre-delivery filter stack collapses. SPF/DKIM/DMARC compliance, sender reputation, domain age: all of those controls are now working for the attacker. The only detection layer with a chance is post-delivery behavioral analysis, which can observe that this account's sending pattern, recipient set, and payload structure are anomalous relative to its own history.
IRONSCALES account takeover protection works on that behavioral baseline. The platform also provides advanced malware and URL attack protection that inspects shortlink redirect chains at click time rather than only at delivery.
The IBM Cost of a Data Breach 2024 report puts the average breach cost at $4.88 million. Account takeover is one of the more expensive entry points because the attacker moves slowly inside a trusted identity, often for weeks before any financial harm occurs.
Security teams running SEG-only or gateway-augmented architectures should ask whether their tooling would have caught the qrco[.]de redirect or the binary anomalies in those image files. The answer in most cases is no.
| Type | Indicator | Context |
|---|---|---|
| URL | hxxps://qrco[.]de/bdbgjR | Malicious QR shortlink in email body |
| File | image009.gif (MD5: 685056bde54d7d89bebe2358d48087df) | GIF with MZ signature beyond 0x3B trailer |
| File | image021.gif (MD5: 295ff018eca904e925f2211f8cc46ac0) | GIF with multiple MZ offsets at positions 71628, 383956, 398070, 489632 |
| File | image019.png (MD5: 9bbea48543aaac8e7005dead7538e01b) | PNG with MZ header at bitstream index approx. 40272 |
| Sender domain | uel[.]sg | Compromised-legitimate university domain (VICTIM) |
---
Sources: Verizon DBIR 2026 | IBM Cost of a Data Breach 2024 | Microsoft Digital Defense Report 2024 | MITRE ATT&CK T1566.001 | CISA Phishing Guidance
| Attack | What happened |
|---|---|
| A Malicious Payroll PDF Rode In on a Compromised Legitimate Sender | A sandbox-confirmed malicious PDF named 'Salary Increment Update for Payroll' was delivered from a compromised legitimate mail server that passed SPF and... |
| Sandbox-Confirmed Malicious PDF Delivered via Compromised Logistics Domain With Passing Authentication | A sandbox-confirmed malicious PDF arrived as a vague business 'Proposal' from a compromised logistics company mail domain with clean SPF, DMARC. |
| The Government Email That Authenticated Itself After Transit | A compromised county government M365 account sent a password-protected PDF with the passcode in the body. |
| Four PE Executables Hidden Inside an OLE Container Disguised as a CAD Drawing, Sent From Inside the Organization | An internal M365 sender forwarded a file with a .exb extension and a Chinese-language filename, claiming they could not open the drawing. |
| The Security Tools That Became the Camouflage | Attackers routed a malware payload through TitanHQ link-lock and a Cisco-wrapped redirect. |