TL;DR An attacker submitted a contract-lure .docx to a sports-data technology company's email environment via an unrelated Apple Mail client on a Uruguayan IPv6 address with no PTR record. The body was empty, the attachment scanned clean, and the sender address appeared internal. IRONSCALES Themis flagged the message at 90% confidence based on origin anomaly, missing reverse-DNS, impersonation metadata, and the direct-send self-addressing pattern -- signals a content scanner cannot see.
Severity: High Malware Delivery Direct Send Phishing Impersonation Attachment Lure MITRE: {'id': 'T1566', 'name': 'Phishing'} MITRE: {'id': 'T1566.001', 'name': 'Spearphishing Attachment'} MITRE: {'id': 'T1656', 'name': 'Impersonation'}
The email arrived with one attachment and no body text. The subject line was the entire message: a filename that looked like a licensing deal document. The sending address matched the recipient address exactly. And the server that submitted it had no reverse-DNS entry and geolocated to Uruguay.
Every automatic scanner saw nothing wrong. The attachment was clean. There were no links. There was no body to score. The content layer -- where most email security tools spend their budget -- had nothing to work with.
This is what a detection-surface-zero attack looks like.
The Direct-Send Setup
The attack targeted a sales representative at a sports-data technology company. The attacker (or a compromised device) submitted the email using Apple Mail through a Gmail SMTP submission path. The sending address and the recipient address were identical: [employee]@[the organization's domain] sending to itself.
That self-addressing is not a quirk. It is the technique. Direct-send phishing exploits the gap between a domain's published email policy and the authentication scope of client-authenticated SMTP submissions. The domain in question published a DMARC record with a reject policy and covered common sending services via SPF. But the actual submission came from a mobile mail client connected to Gmail's SMTP endpoint -- a path that exists outside the domain's declared mail infrastructure. DMARC checks the alignment between the From header and the authenticated sender, but a legitimate Gmail client submission carrying the domain's credentials can still pass that check even when the originating device is thousands of kilometers from the organization.
The result: an email that presents as an internal message, carries a real domain with real policy records, and was never touched by the domain's mail servers.
The Empty Body as a Feature
Most email security filters depend on content. Body text gives machine-learning classifiers something to score. Links give sandboxes something to follow. Credential-harvesting forms give heuristics something to match. Remove all of that and you remove the detection surface.
The body here was blank. Not "Hi, please see attached." Not a forwarded thread. Nothing. The only visible content was the subject line, which doubled as a filename: a contract document for what appeared to be an ongoing business deal in the organization's sector.
That filename was doing deliberate work. A recipient who has context -- who knows the deal, who knows the parties -- does not need a body. The filename is the social engineering. A well-placed contract document in an active deal relationship is enough to prompt an open.
The Verizon 2026 DBIR documents the persistence of attachment-based delivery as a primary phishing vector. The FBI IC3 2024 report places business email compromise losses -- often initiated through exactly this kind of document lure -- in the billions annually. The empty-body approach is not novel; it is a refinement that trades volume for precision.
The IPv6 Origin Anomaly
The originating IP was 2800:a4:80a:7600:f5f9:1c4:c6e2:575c -- an Apple Mail client that submitted through Gmail's authenticated SMTP endpoint. That address geolocates to Montevideo, Uruguay. The domain's declared mail infrastructure resolves to Cloudflare-hosted IPv4 addresses. There is no business relationship between the two.
More importantly: the IPv6 address had no PTR record.
PTR (pointer) records map an IP back to a hostname. Their absence is not proof of malice -- residential connections and some mobile networks omit them. But in the context of a business email claim, a missing PTR means the sending host has no verifiable network identity. It cannot tell you who it is. Legitimate outbound mail infrastructure -- whether corporate, cloud-hosted, or provider-managed -- almost always carries PTR records. Their absence is a low-cost behavioral signal that costs nothing to check and surfaces anomalies content scanning cannot see.
The combination here is layered: wrong geography, wrong IP family, wrong network path, no PTR. Each signal individually might be explainable. Together they describe a device that has no legitimate reason to be sending this company's email.
See Your Risk: Calculate how many threats your SEG is missing
The AV-Clean Attachment Problem
The attachment -- a .docx file sized at approximately 258 KB -- returned a clean verdict from the automated scanner. No known malware signatures. No flagged hash.
This is the expected result for a well-constructed lure. The Microsoft Digital Defense Report 2024 describes the ongoing arms race between payload obfuscation and signature-based detection. Office documents with staged downloaders, external relationship links, or obfuscated macro logic routinely evade initial scans. A clean AV verdict means the hash was unknown at scan time -- not that the file is inert.
The quarantine decision here was not made by the attachment scanner. It was made by the behavioral context surrounding the attachment: an empty body, an anomalous origin, a missing PTR, an impersonation flag, and a self-addressed submission. The CISA guidance on phishing recognition emphasizes that attachment-based attacks are among the hardest for recipients to identify without tooling -- which is precisely why contextual signals matter more than payload verdicts.
How Themis Caught It
IRONSCALES Themis, the platform's Adaptive AI, flagged this message at 90% confidence with a VIP Recipient label and a direct-send phishing classification. The detection required no body text, no malicious URL, and no matching malware signature.
Themis evaluated the behavioral envelope: the sender submitting mail to itself through an authenticated external SMTP path, the originating IPv6 address with no PTR record geolocated to a region inconsistent with the domain's operations, the impersonation metadata the platform surfaced on ingestion, and the first-time-sender pattern. These are signals a content filter cannot see because they live in the routing layer, the sender relationship graph, and the infrastructure metadata -- not in the message body.
The email was mitigated and reverted within 44 seconds of receipt. Three secondary mailboxes in the same organization, carrying a related thread with the same deal subject, were also mitigated within the same window.
Defensive Takeaways
This case is a template for what happens when attackers optimize away the detection surface that most tools rely on. The defensive response needs to match the attack vector:
Behavioral analysis over content scoring. If your email security posture depends on body-text classifiers and URL sandboxes, empty-body attacks represent a structural blind spot. Origin reputation, PTR validation, sender relationship scoring, and impersonation detection have to carry the load when content is absent.
PTR checks as a detection signal. Missing reverse-DNS on a sending client IP is not definitive, but it is fast and cheap to check. Integrating PTR validation into sender-risk scoring adds a low-noise signal for exactly this class of attack.
AV-clean is not cleared. Treat attachment scan verdicts as one input in a multi-signal decision, not a gate. A clean hash means unknown-at-scan-time. Behavioral context -- empty body, anomalous origin, self-addressed submission -- should override a clean verdict in a high-risk scenario.
DMARC coverage has edges. A p=reject DMARC policy is necessary but not sufficient. Client-authenticated submissions through third-party SMTP endpoints (Gmail, Outlook.com) can carry your domain while originating outside your declared infrastructure. Monitoring outbound submission paths and enforcing MFA on all credential-bearing accounts closes the gap.
The IBM Cost of a Data Breach 2024 report consistently shows that phishing remains the most common initial access vector. Attacks like this one -- no payload to detonate, no URL to follow, no body to scan -- represent the category's natural evolution toward minimum detectable signature. The MITRE ATT&CK framework catalogs this as T1566.001 Spearphishing Attachment combined with T1656 Impersonation -- techniques that individually are well-documented but are rarely seen executed with this level of signal reduction.
The only reason this email was caught is that the detection moved to the behavioral layer before the content layer had a chance to clear it.
---
Indicators of Compromise
| Type | Value | Notes |
|---|
| Sending IPv6 | 2800:a4:80a:7600:f5f9[:]1c4:c6e2:575c | Attacker origin; Apple Mail client; Montevideo, Uruguay; no PTR record |
| Attachment MD5 | adc9d603407111736fc3c2b180ee86f1 | .docx contract lure; AV verdict clean at time of detection |
| Attachment name | [OrgName]_[City] - License Agreement.docx | Contract-themed filename; ~258 KB |
| Sender address | [employee]@[the organization's domain] (defanged: [employee]@[the organization's domain][.]) | Same as recipient; direct-send self-addressing pattern |
| Submission path | smtpclient.apple via smtp.gmail.com | Client-authenticated SMTP; outside domain's declared mail infrastructure |
---
MITRE ATT&CK
| Technique ID | Name | Relevance |
|---|
| T1566 | Phishing | Primary delivery method |
| T1566.001 | Spearphishing Attachment | Contract-themed .docx as payload vehicle |
| T1656 | Impersonation | Sender address matches recipient; internal-identity spoofing via external SMTP |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
