SPF and DMARC Passed, DKIM Failed: How a One-Word Email Body and a Clean PDF Almost Delivered a BEC Payday

A single word. That was the entire email body: "Fyi." Below it, an Outlook signature block. Attached, a 7 KB PDF titled "ack13023.pdf" containing a purchase order acknowledgement for $3,451.73. The sending domain had been registered for 27 years. SPF passed. DMARC passed. Microsoft Composite Authentication returned a perfect 100.

DKIM failed.

That one failed signature was the only technical anomaly in an email designed to blend into an accounts payable workflow. Everything else (the aged domain, the authorized sending IP, the clean attachment with no JavaScript, no forms, no embedded links) cooperated with the attacker.

One-Word Bodies and the Psychology of PO Lures

The email subject read "p.o. 4506616378," a format that mirrors how real purchase order communications look in manufacturing and industrial supply chains. The body offered nothing to scan. "Fyi" followed by "Thank you" and a name. No urgency language, no payment instructions, no links. The entire payload sat in the PDF attachment.

The attachment presented a purchase order acknowledgement from a machining company. It referenced a sales order number, a job number (4506616378, matching the subject line), a line item with part details, and a total of $3,451.73. Clean formatting, plausible dollar amount, consistent reference numbers across the email and the PDF.

This approach targets the operational reflex in accounts payable teams. Purchase orders in the $2,000 to $5,000 range sit in a sweet spot: large enough to matter, small enough to avoid additional approval thresholds at most organizations. The FBI IC3 2024 report documented $2.77 billion in adjusted losses from BEC attacks. The Verizon 2024 DBIR found that pretexting (the social engineering category covering BEC and invoice fraud) now accounts for more than 40% of financially motivated breaches.

Mixed Authentication: What SPF Pass Plus DKIM Fail Actually Means

The email originated from an internal workstation (192.168.60.130), passed through an internal mail server, then routed through pmg.imtec-inc[.]com (216[.]81[.]103[.]118) before reaching Microsoft 365.

The pmg subdomain indicates a Proxmox Mail Gateway, an open-source email security appliance common at small and mid-size organizations. Proxmox PMG performs content filtering and antivirus scanning on outbound mail. These processing steps can modify message content after the originating server applies a DKIM signature.

Here is what the authentication chain showed:

• SPF: Pass. The sending IP (216[.]81[.]103[.]118) was authorized in the imtec-inc[.]com SPF record.
• DKIM: Fail. Signature selector pmg2025 under d=imtec-inc[.]com did not verify. The body hash did not match, consistent with post-signing modification.
• DMARC: Pass. Policy action=none, alignment succeeded via SPF (the envelope From domain matched the header From domain).
• compauth: 100. Microsoft Composite Authentication gave a perfect pass score because DMARC succeeded.
• SCL: 1. Lowest non-zero spam confidence level.

This is where the nuance matters. DMARC can pass on SPF alignment alone, even when DKIM fails completely. The protocol requires either SPF or DKIM to align with the header From domain. When SPF carries the alignment, a broken DKIM signature becomes invisible to the policy evaluation. Microsoft saw an authorized sender, a matching domain, and a clean DMARC result. Nothing in that chain warranted quarantine by policy.

See Your Risk: Calculate how many threats your SEG is missing

But DKIM failure in the absence of a recognized third-party security gateway (Proofpoint, Mimecast, Barracuda) is a meaningful signal. The Microsoft Digital Defense Report 2024 noted that attackers increasingly exploit authentication gaps at small organizations with self-managed mail infrastructure. When a self-hosted Proxmox gateway breaks a DKIM signature, it could indicate legitimate content filtering. It could also indicate that the message was replayed or injected through compromised infrastructure. Traditional gateways treat it as a pass because DMARC said pass. Behavioral systems treat it as one variable among many.

Why the PDF Passed Every Scan

The attachment ack13023.pdf (MD5: 2f5c9b2b545ed768c3a03a379218edb0) was a PDF-1.2 document, 7,128 bytes. No JavaScript. No OpenAction. No Launch actions. No AcroForm fields. No embedded files. No external URI references. The creation timestamp (April 16, 2026, 14:04:11) was minutes before the email was sent.

By every scanning measure, the file was clean. That is exactly the point. BEC campaigns that use clean attachments as context-setting documents pass automated inspection because the document is not the weapon. The document is the pretext.

Behavioral Signals That Technical Controls Missed

The email was sent to four recipients: three internal addresses at the sender's domain and one external recipient at a different organization. That CC pattern mimics legitimate vendor correspondence. It also adds perceived legitimacy by making the external recipient believe they are part of an ongoing business thread.

IRONSCALES Themis analyzed the behavioral context and flagged the email at 60% confidence. Three signals contributed to the detection:

1. First-time external sender. The sending address had never previously communicated with the recipient organization. For a PO acknowledgement referencing an active job, the absence of any prior email history is anomalous.
2. VIP recipient targeting. The external recipient was identified as a VIP within their organization, consistent with targeted vendor impersonation that selects individuals with purchasing or payment authority.
3. Content-structure mismatch. The email's minimal body ("Fyi"), combined with an invoice-class attachment from a first-time sender, matched patterns the IRONSCALES community of 35,000+ security professionals had previously flagged as BEC indicators.

The email was confirmed as a threat and quarantined.

What Accounts Payable Teams Should Verify

This case illustrates why authentication results alone cannot determine email legitimacy. CISA's phishing guidance emphasizes verifying sender identity through independent channels, especially for financial requests. Specific steps for organizations handling vendor purchase orders:

Verify PO references out-of-band. When a purchase order arrives from a first-time sender, call the vendor using a phone number from your records (not from the email) to confirm the PO is real.

Treat DKIM failure as a yellow flag. When SPF and DMARC pass but DKIM fails, investigate whether the sending organization uses a mail gateway that could explain the break. If you cannot confirm a legitimate gateway, escalate.

Audit CC patterns on vendor emails. An email that CCs your employee alongside unknown internal addresses at the sender's domain may be manufacturing the appearance of an existing relationship.

Set approval thresholds for first-time vendor invoices. Any invoice or PO from a sender with no prior email history should trigger a secondary approval workflow, regardless of dollar amount.

### MITRE ATT&CK Mapping

• T1566.001: Spearphishing Attachment. PDF attachment used as the primary lure, carrying purchase order details to establish context for payment fraud.
• T1534: Internal Spearphishing. CC list included internal addresses at the sender's domain alongside the external target, creating the appearance of cross-organizational business correspondence.

### Indicators of Compromise