An invoice email arrived from jacquesscott[.]com, a domain registered in the Cayman Islands in 2002 with WHOIS privacy enabled. The message carried a 61,558-byte PDF attachment generated by Crystal Reports. Inside the PDF, multiple address fields contained NULL placeholder values where sender details should have appeared. No JavaScript, no embedded links, and no interactive form elements were present in the document.
The email passed DKIM and DMARC validation, but SPF failed. The failure traced to routing through an Exclaimer relay at 104[.]209[.]35[.]28. Exclaimer is a legitimate email signature management service, but when messages pass through its relay, the sending IP changes. If the relay IP is not listed in the domain's SPF record, authentication breaks. ARC-Seal validation also failed at i=2, confirming the chain of trust was compromised during transit.
Payment instructions in the PDF directed funds to a Butterfield bank account, an offshore banking institution headquartered in Bermuda with branches across the Caribbean.
Crystal Reports is a legitimate enterprise reporting tool used to generate invoices, financial statements, and business documents. Attackers exploit this legitimacy because PDFs generated by Crystal Reports carry metadata and formatting that matches what recipients expect from real vendors. The NULL address fields reveal the fraud: a legitimate vendor populating their own invoice template would never leave address fields empty.
The SPF failure is significant but not decisive on its own. Many legitimate organizations route mail through third-party services that cause SPF failures. This is precisely why attackers choose relay paths through services like Exclaimer: the resulting SPF failure looks like a configuration oversight rather than a threat signal.
Combining the SPF failure with the domain's Cayman Islands registration, WHOIS privacy, NULL template fields, and offshore banking payment instructions creates a risk profile that no single indicator would trigger alone.
Community intelligence across the IRONSCALES network identified patterns matching this campaign across multiple tenants. The combination of Crystal Reports metadata, NULL address fields, and Exclaimer relay routing formed a behavioral fingerprint that adaptive AI email security correlated with known invoice fraud patterns.
The ARC-Seal failure at i=2 provided an additional signal that the message had been tampered with or routed through an untrusted path, reinforcing the risk assessment from behavioral analysis.
See Your Risk. Run a free phishing simulation to measure how many invoice fraud emails bypass your current gateway.
| Indicator | Type | Value |
|---|---|---|
| Case ID | Internal | 10050d53ae12ce2dfac71b96c6f62d54 |
| Sender Domain | Domain | jacquesscott[.]com |
| Domain Registration | Infrastructure | Cayman Islands, 2002, WHOIS privacy |
| Relay IP | IP Address | 104[.]209[.]35[.]28 |
| Relay Service | Infrastructure | Exclaimer |
| PDF Size | Attachment | 61,558 bytes |
| PDF Generator | Metadata | Crystal Reports |
| Payment Destination | Banking | Butterfield bank |
| SPF | Authentication | fail |
| DKIM | Authentication | pass |
| DMARC | Authentication | pass |
| ARC-Seal | Authentication | cv=fail at i=2 |
| Tactic | Technique | ID | Notes |
|---|---|---|---|
| Initial Access | Phishing: Spearphishing Attachment | T1566.001 | Crystal Reports PDF invoice |
| Defense Evasion | Masquerading | T1036 | NULL address fields in template-generated PDF |
| Defense Evasion | Trusted Relationship | T1199 | Exclaimer relay used to obscure origin |
| Impact | Financial Theft | T1657 | Payment directed to offshore Butterfield bank account |