This Phishing Email Passed SPF, DKIM, and DMARC. The Encrypted PDF Was the Real Weapon.

Every Authentication Check Passed. The Attack Was Still Inside.

SPF passed. DKIM passed. DMARC passed. ARC seals validated. Every link in the email body pointed to legitimate Microsoft support pages. Antivirus engines scanned the attachment and returned a clean verdict.

And it was still phishing.

IRONSCALES flagged this attack against a North American recreational equipment distributor in May 2026. The e-commerce team received an email with the subject line "ACTION REQUIRED: Accounting shared 'APPROVED North Central Emergency Vehicles' with you," carrying an AES-encrypted PDF that no automated scanner could open, inspect, or detonate. The attack exploited a fundamental blind spot: authentication protocols verify infrastructure, not intent. When the sending infrastructure is legitimate (or compromised), those protocols become the attacker's alibi.

According to the Verizon 2024 Data Breach Investigations Report, 36% of all breaches involved phishing. The ones that pass authentication are the hardest to catch, and the fastest growing.

Anatomy of an Authentication-Clean Attack

The email originated from accounting@northcentralambulance[.]com, a domain registered since 2008 through GoDaddy with active SPF, DKIM, and DMARC records. The message routed through Securence, a legitimate secure email gateway based in Minneapolis (IP: 216[.]17[.]20[.]219), before entering Microsoft 365 infrastructure.

This relay path is significant. Because the email traversed authorized infrastructure, every hop in the authentication chain validated cleanly. Microsoft's own compauth=pass verdict confirmed it. For any email security gateway relying solely on authentication signals, this message was indistinguishable from a legitimate business communication.

The body was minimal: a brief greeting followed by a PDF passcode and a request to review the attachment. Three embedded links pointed to support[.]microsoft[.]com and aka[.]ms resources about phishing awareness (the irony writes itself). No malicious URLs in the message body whatsoever.

But the signature told a different story. It listed two company names: "Jerry's Transmission Service, Inc." and "North Central Emergency Vehicles." The phone number (320-359-2925) did not match any public listing for either entity. These inconsistencies are subtle, the kind a hurried employee misses but a trained analyst catches.

The Encrypted PDF: A Scanner-Proof Payload

The real attack lived inside the attachment: North Central Emergency Vehicles.pdf (115,874 bytes, MD5: d51fb6be51d7dfa2a103759dc55d86f1). Static analysis revealed Standard AES encryption and embedded /AcroForm and /Annots tokens. No /JavaScript, /JS, or /URI tokens were visible in the raw binary prior to decryption.

This is the credential harvesting playbook that has been accelerating since 2023. AES-encrypted PDFs with AcroForm fields are a documented vehicle for embedding fake login prompts, form-submission actions, and data-exfiltration endpoints inside a container that no gateway can open without the password. The Microsoft Digital Defense Report 2024 noted a sharp increase in encrypted attachment techniques specifically designed to evade automated analysis.

The attacker handed the password to the victim right in the email body. That is the critical design choice: the encryption is not meant to protect the contents from the recipient. It is meant to protect the contents from the security stack.

MITRE ATT&CK maps this to three techniques: Spearphishing Attachment (T1566.001), Encrypted/Encoded File (T1027.013), and User Execution: Malicious File (T1204.002).

Targeting That Did Not Add Up

Here is where the attack logic breaks down. The recipient was an e-commerce team at a recreational equipment distributor. They had no business relationship with an ambulance service or emergency vehicle supplier. This was a first-time sender with zero prior communication history.

The FBI IC3 2024 Annual Report documented $2.9 billion in BEC losses. Many of those attacks start exactly like this: an "approved" document from an unfamiliar vendor, wrapped in urgency language ("ACTION REQUIRED"), targeting a financial or procurement function. The "accounting" sender name and approval framing are textbook pretexting.

Whether this originated from a compromised account at the ambulance service or a calculated impersonation using their authorized gateway, the targeting mismatch suggests spray-and-pray distribution from a foothold in legitimate infrastructure rather than a precision-targeted campaign.

Are encrypted attachments slipping past your current email security? See Your Risk.

How Human Review Broke the Authentication Alibi

Automated systems had every reason to let this through. Authentication passed. Links were clean. AV returned a clean verdict. The encrypted PDF could not be inspected.

IRONSCALES adaptive AI flagged the structural anomalies: first-time sender, high sender risk score, encrypted attachment with AcroForm tokens, and zero recipient relevance. But the decisive action came from a human SOC analyst who reviewed the confluence of signals and manually confirmed the phishing classification. The email was permanently deleted across all four affected mailboxes.

This is the core argument for layered detection that combines machine analysis with human judgment. The IBM Cost of a Data Breach Report 2024 found that organizations using AI-assisted security with human oversight identified breaches 108 days faster than those without. When every automated signal says "clean" but the structural pattern says "wrong," you need a human in the loop.

Defending Against Authentication-Clean Encrypted Payloads

Encrypted PDF attacks exploit a specific architectural gap. Here is how to close it:

Quarantine password-protected attachments by default. If a user must enter a passcode provided in the same email to open a file, treat it as a red flag. Legitimate document-sharing workflows use secure portals, not inline passwords.

Weight first-time sender signals heavily. Authentication proves the email came from authorized infrastructure. It does not prove the sender has any relationship with the recipient. First-time sender plus financial urgency plus encrypted attachment is a high-confidence phishing pattern regardless of SPF/DKIM results.

Deploy credential harvesting protection that analyzes behavioral patterns, not just content. When the payload is encrypted and the links are clean, content-based detection fails. Behavioral signals (sender history, recipient relevance, attachment structure) are the only detection surface.

Train your teams on the passcode-in-email pattern. According to CISA guidance, organizations should treat any unsolicited encrypted attachment with an inline password as suspicious until independently verified through a separate communication channel.

Encrypted PDF Attack Indicators