The subject line read: Acceptable Use Policy_en Employees Q2 17-2999-502828 followed by a case identifier and the name of a well-known email security platform. That suffix was deliberate. The attacker appended the security vendor's brand to mimic the format of legitimate relay notifications, betting that recipients would associate the name with trusted, already-scanned mail.
The email landed in a partner distribution list at a security-focused SaaS firm. It passed SPF, DKIM, and DMARC. The sending domain belonged to a legitimate U.S.-based nonprofit. And the entire visible body was a single image.
Every traditional gateway signal said "clean." The FBI IC3 2024 report documents that business email compromise and phishing attacks using compromised legitimate infrastructure now account for billions in annual losses, precisely because authentication alone cannot distinguish between authorized senders and compromised ones.
The sending domain, cdr-ct[.]org, is registered to a real U.S. nonprofit organization. SPF validated the sending IP 64[.]78[.]32[.]90 as an authorized sender for that domain. DKIM signatures verified cleanly against cdr-ct[.]org DNS records. DMARC returned a "bestguesspass" result with compauth=pass.
This is the fundamental limitation of email authentication protocols: they verify that a message came from infrastructure authorized by the domain owner. They do not verify that the domain owner authorized that specific message. When attackers compromise a legitimate organization's email infrastructure, every outbound message inherits that organization's authentication posture.
A second IP, 185[.]198[.]240[.]49, appeared in the x-originating-ip header, recording the actual client that authored the message. That IP did not match the nonprofit's known infrastructure, a telltale sign of unauthorized access from a separate network.
The Microsoft Digital Defense Report 2024 notes that compromised legitimate domains are increasingly preferred over newly registered lookalike domains because they inherit established reputation scores and valid DNS configurations. The CISA Phishing Guidance similarly warns that passing authentication checks does not guarantee message safety.
The email body contained a single embedded image showing a green banner labeled "EMPLOYEE HANDBOOK" with the instruction: Reminder Acknowledgement request terms form to be completed. Below it, a duplicated confidentiality notice padded the message. No clickable links or readable text appeared in the body itself, rendering text-based content analysis ineffective.
The real payload sat in the attachments. An HTML file named after the recipient organization's handbook (with a case identifier appended) contained one inline script block. Static analysis found no form elements, no external URLs, and no eval or atob calls. But the script used String.fromCharCode patterns and included a base64-encoded variable that decoded to the recipient's email address, a personalization token that could be used to pre-populate credential fields or track victims at runtime.
See Your Risk: Calculate how many threats your SEG is missing
A second attachment, an .eml file titled "US Employees Handbook Acceptable," nested the original message in a format designed to be opened in a mail client, potentially re-rendering the HTML attachment in a less sandboxed context. This double-wrapping technique (MITRE T1027, Obfuscated Files or Information) adds a layer of indirection that complicates automated scanning.
The Verizon DBIR 2024 found that attachment-based delivery remains one of the top initial access vectors, with HTML attachments specifically gaining traction because they bypass URL reputation checks entirely.
Microsoft's native filters scored this message SCL 1 (low spam confidence) and categorized it as LEGIT. The attachment scanner returned a "clean" verdict. Every reputation-based check agreed: the domain was real, the IPs were authorized, and no known-bad URLs appeared anywhere.
IRONSCALES resolved it as phishing within seconds. The detection relied on signals that content scanners cannot replicate. The sender had never contacted this organization before (first-time sender flag). Community intelligence, drawing on resolution patterns from similar incidents across the IRONSCALES network, returned high-confidence phishing classification. The Themis AI recommendation flagged VIP recipients on the distribution list, elevating the risk score. Combined, these behavioral and reputational signals overrode every content-level "clean" verdict.
This case maps to three MITRE ATT&CK techniques: T1566.001 (Phishing: Spearphishing Attachment) for the HTML delivery vector, T1036.005 (Masquerading: Match Legitimate Name or Location) for the brand impersonation in the subject line, and T1027 for the obfuscated JavaScript in the attachment.
| Type | Indicator | Context |
|---|---|---|
| Domain | cdr-ct[.]org | Sending domain (likely compromised nonprofit) |
| IP | 64[.]78[.]32[.]90 | Authorized sending IP (SPF pass) |
| IP | 185[.]198[.]240[.]49 | Originating client IP from x-originating-ip header |
| File (HTML) | MD5: ed3bb6a0b3f36e46dfd709dca9b69bf3 | Obfuscated HTML attachment with encoded recipient token |
| File (EML) | MD5: c2886066918e2385a57005685167d807 | Nested .eml wrapper attachment |
| File (PNG) | MD5: 96c7e26eba578f00cf2e07905b6e71a4 | Image-only lure (employee handbook banner) |
| Hostname | aesomtco13c[.]serverdata[.]net | SMTP relay in Received chain |
Treat first-time sender signals as high-value telemetry. This email passed every authentication check. The single strongest indicator was that the sending address had zero prior communication history with the target organization. If your detection stack does not weight first-time sender status, you are missing the signal that caught this attack.
Sandbox HTML attachments at delivery time. Static analysis found obfuscation but no confirmed payload. Runtime execution in an isolated browser would reveal whether the JavaScript constructs a credential-harvesting page, redirects to an external domain, or phones home with the encoded recipient token. Gartner's email security market analysis consistently highlights runtime attachment analysis as a differentiator between legacy gateways and modern platforms.
Alert on brand impersonation in subject lines. The attacker embedded a security vendor's name to create false trust. Build detection rules that flag external emails containing your organization's name, your security vendor's name, or your internal tool names in the subject line, especially when the sender domain has no prior relationship.
Do not trust authentication verdicts as safety verdicts. SPF, DKIM, and DMARC confirm domain alignment, not message intent. A compromised domain passes all three. Layer behavioral analysis, community intelligence, and sender reputation on top of authentication results, or accept the blind spot.