The email arrived from a Cayman Islands construction company with a 10-year-old domain, full authentication, and a professional signature. The body was unremarkable. No credential requests. No payment instructions. No malicious links. The only notable feature was the attachment's filename: ECO Advanced Revised service INV\r\n 949 Recall.pdf. Those two invisible characters, a carriage return and a line feed embedded in the middle of the filename, were the entire attack.
The message was sent from a Google Workspace account through mail-lf1-x144.google.com at IPv6 2a00:1450:4864:20::144. SPF passed. DKIM passed via a Google Apps SMTP delegation key. ARC passed through the full relay chain. The sender domain has been registered since 2014 with Cloudflare nameservers, consistent with an established small business.
The body contained a professional signature with a managing director's name, phone number, and company website. Links in the signature resolved to the company's legitimate site and Facebook page. Screenshots confirmed clean landings. A malformed telephone hyperlink (mismatched digits between href and display text) and a Dropbox-hosted signature image were the only minor anomalies.
The attached PDF was 70,448 bytes. When the automated sandbox attempted to retrieve the file for content inspection, the CR/LF characters in the filename caused a file-not-found error. The analysis aborted. No JavaScript check. No form field extraction. No embedded URL enumeration. No executable content scan.
The file existed. It was deliverable. The recipient's email client could open it. But the sandbox's file-resolution logic could not handle the control characters, and the inspection pipeline treated a retrieval failure as an incomplete scan rather than a threat signal.
The attachment verdict was recorded as "clean" with status "Scanning" because the automated system could not produce a definitive negative result. Absence of evidence became evidence of absence.
This attack paired two techniques that reinforce each other. Authenticated sending (SPF/DKIM/ARC pass) gets the message past reputation-based gateway filters. Filename obfuscation gets the attachment past content-based sandbox inspection. The message authenticates cleanly and carries an uninspected payload. The only signal that something was wrong was the unsolicited distribution: multiple internal recipients with no prior correspondence from this sender.
IRONSCALES flagged the message based on high sender risk, first-time sender, multi-recipient distribution, and the incomplete attachment analysis.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender Domain | ecohousecayman[.]com | Cayman Islands, registered 2014, Google Workspace |
| Sending IP | 2a00:1450:4864:20::144 | Google mail server |
| Attachment | ECO Advanced Revised service INV\r\n 949 Recall.pdf | CR/LF in filename |
| File Size | 70,448 bytes | Invoice-themed PDF |
| File Hash (MD5) | 684d679c43e9a499e6110c2500b42f27 | Sandbox could not inspect |
| Sandbox Result | File-not-found (analysis aborted) | CR/LF broke file path resolution |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Attachment | T1566.001 | Invoice PDF as primary payload |
| Obfuscated Files or Information | T1027 | CR/LF characters in filename prevent analysis |
| Virtualization/Sandbox Evasion: Time Based Evasion | T1497.003 | Sandbox abort due to file-system handling failure |
| Attack | What happened |
|---|---|
| The Invoice Was in Hebrew, the HTML Attachment Called Localhost, and Every Authentication Check Passed | A Hebrew-language invoice from an Israeli manufacturers association passed SPF, DKIM, and DMARC. |
| The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion | A Gmail-authenticated BEC used a typosquat Reply-To domain and a hidden HTML mailto mismatch to impersonate a steel distributor's credit manager. |
| The Italian Certified Email That Wrapped Its Payload in S/MIME | A phishing email arrived through Italy's certified email system (PEC) with the payload wrapped in an S/MIME smime.p7m container. |
| The FedEx Email Was Real, the PDF Was an Image, and the Sandbox Saw Nothing | A pre-arrival notification from legitimate FedEx infrastructure carried an image-based PDF that contained no extractable text. |
| The Encrypted PDF From a Reuters Lookalike Domain, Sent Through Amazon SES | A phishing email from a Reuters lookalike domain delivered an AES-encrypted PDF with AcroForm fields through Amazon SES. |