The attachment looked like a standard Word document. The filename matched the subject line. The file contained no macros, no VBA project, no OLE objects. And buried 18,000 bytes deep inside what claimed to be a PNG image resource, an executable was waiting.
This phishing email targeted an HR professional at a U.S. financial institution with a subject line promising "April Bonus and Allocation for All Staff." The sender display name was set to "HR_General_Announcement" and the From address belonged to the recipient herself, a self-send spoofing pattern designed to make the message appear self-sent. The email body was completely empty. The entire attack relied on two vectors: a malicious .docx attachment and a credential-harvesting link.
Every email authentication check failed. SPF returned fail because the originating IP (147[.]124[.]210[.]93) is not authorized to send on behalf of the spoofed domain. DKIM returned none because the message was never signed. DMARC returned fail with an oreject enforcement policy. The composite authentication score was zero. Despite this triple failure, the email still reached the target mailbox.
The attachment, "Annual Assessment.docx" (47,934 bytes, MD5: 1e435cd2d405b74d4d593e61967e6946), passed the first layer of inspection because it is a valid OpenXML document. No vbaProject.bin. No external relationship targets. No suspicious OLE streams. Scanners focused on macro detection would clear it without a second look.
But inside the word/media/ directory, a file named image2.png contained a PE (Portable Executable) header starting at byte offset 18,393. This is a polyglot file, valid as both a PNG image and a Windows executable. The technique exploits the fact that most document scanners validate image resources by checking file headers and dimensions, not by scanning deeper into the binary for embedded MZ signatures.
This approach is mapped to MITRE ATT&CK T1027.001 (Obfuscated Files or Information: Binary Padding) and T1036.008 (Masquerading: Masquerade File Type). The executable requires a secondary extraction or rendering mechanism to activate, typically through a companion exploit or social engineering that convinces the user to rename or extract the file.
The document also contained the keyword "ssn," indicating the social engineering pretext extended beyond the bonus lure into potential data collection.
The .docx was not the only weapon. The email included a link with display text matching the attachment filename ("Annual Assessment.docx") but pointing to an entirely different destination:
hxxps://expressscrffgiptsincorporated[.]club/$[recipient]@[domain]
The domain was registered just nine days before this attack (2026-04-08) through Dynadot with privacy protection enabled. It sat behind Cloudflare proxying. The URL embedded the recipient's email address as a path parameter, personalizing the credential-harvesting flow for each target.
See Your Risk: Calculate how many threats your SEG is missing
The landing page presented a fake "Security Verification" gate, a common pattern for staging credential harvests (T1566.001). This gave the attacker two independent chances at compromise: the malware payload via the attachment, or stolen credentials via the link. If one failed, the other might succeed.
This case is a useful reminder that SPF, DKIM, and DMARC are policy signals, not delivery guarantees. The originating IP had no PTR record. The domain's DMARC policy was set to oreject (organizational reject). The Microsoft Antispam report flagged the message as a spoof (CAT:SPOOF) and assigned SCL 5 (spam confidence level). Yet the email still reached the mailbox before mitigation.
According to the Verizon 2024 DBIR, 68% of breaches involve a human element, and attachment-based delivery remains one of the most reliable initial access vectors. The FBI IC3 2024 Report documented over $2.9 billion in losses from business email compromise and related impersonation attacks. Polyglot techniques represent an escalation: even organizations that have disabled macros entirely are not protected against executables disguised as image resources. This is precisely why advanced malware and URL protection needs to go deeper than signature matching.
CISA's phishing guidance recommends treating unexpected attachments as suspicious regardless of the sender, and NIST's phishing definition emphasizes that social engineering bypasses technical controls by targeting human trust. An empty email body with a high-value lure subject is designed to drive curiosity straight to the attachment.
Traditional attachment scanning checks for macros, known malware signatures, and sandboxed behavior. Polyglot files bypass all three because the malicious payload does not execute during standard analysis. The document opens normally. The images render. Nothing fires.
Detecting this technique requires binary-level inspection of embedded media resources, looking for MZ headers, PE structures, and executable markers inside files that claim to be images. It also requires treating authentication failures as high-weight signals rather than informational notes. When SPF, DKIM, and DMARC all fail simultaneously on a message carrying a malicious attachment from a spoofed internal address, the combined signal should be sufficient for automated quarantine.
Themis evaluated this email at 90% phishing confidence and quarantined it automatically. The detection combined multiple signal layers: the self-send spoofing pattern (external sender using an internal address and sending to themselves), the attachment verdict, the malicious link destination, and community intelligence from similar incidents across the IRONSCALES network of 1,921 organizations. No single indicator was exotic. The combination was decisive.
| Type | Indicator | Context |
|---|---|---|
| Attachment | Vantage bank-Annual Assessment.docx | Polyglot .docx with embedded PE in image resource |
| MD5 | 1e435cd2d405b74d4d593e61967e6946 | Attachment file hash |
| URL | hxxps://expressscrffgiptsincorporated[.]club/$[recipient]@[domain] | Credential-harvesting link with personalized path |
| Domain | expressscrffgiptsincorporated[.]club | Registered 2026-04-08, Dynadot, privacy-protected, Cloudflare-proxied |
| IP | 147[.]124[.]210[.]93 | Originating sender IP, no PTR record, not authorized for spoofed domain |
| SPF | fail | Domain does not designate sender IP as permitted |
| DKIM | none | Message not signed |
| DMARC | fail (oreject) | Policy set to reject, compauth=fail |
| Technique | ID | Use in This Attack |
|---|---|---|
| Spearphishing Attachment | T1566.001 | Malicious .docx delivered as email attachment |
| User Execution: Malicious File | T1204.002 | Requires user to open attachment and trigger extraction |
| Obfuscated Files: Binary Padding | T1027.001 | PE executable hidden inside PNG image resource |
| Masquerade File Type | T1036.008 | Executable disguised as image within OpenXML package |