A compromised Microsoft 365 account on a domain registered in 2004 sent an encrypted PDF to a forensic engineering firm. The email body contained three lines: a greeting, a passcode, and an instruction to open the attachment. Every authentication check passed. Every scanner failed to inspect the payload. The attacker handed the victim the decryption key while simultaneously locking out every automated defense in the delivery path.
This is the convergence of two evasion techniques that, combined, create a near-perfect blind spot: encryption that blocks content inspection and authentication that blocks sender-reputation filtering.
The email arrived from a fire protection services company. The subject line referenced a shared "statement." The body was stripped bare:
> Good afternoon, > > PDF Passcode: [redacted] > > Kindly See Attached
No invoice number. No account reference. No personalization beyond the greeting. The attachment was a 384KB encrypted PDF containing an AcroForm, an interactive form structure capable of hosting credential-collection fields or JavaScript actions that POST data to remote endpoints.
The sending domain has been registered through GoDaddy since June 2004. It runs on Microsoft 365 infrastructure with properly configured SPF, DKIM, and DMARC records. Authentication results tell the full story:
The email transited entirely through Microsoft Exchange Online Protection infrastructure. From a gateway's perspective, this was a legitimate business email from a legitimate domain through legitimate servers.
Microsoft's own antispam engine initially flagged it: CAT:HPHISH with a safety score of SFTY:9.25. The message was quarantined. Then it was released from quarantine, resetting the SCL to -1 (trusted). The x-ms-traffictypediagnostic header confirms the release path: ReleasedQuarantineMessage. Someone, likely the recipient or an administrator, overrode the quarantine.
That override illustrates the fundamental problem with quarantine-and-release workflows. The phishing signal was detected. The human in the loop dismissed it.
Password-protected PDFs are a known scanner evasion vector (T1027), but this case demonstrates how effective the technique remains. The attachment analysis produced a high risk score (0.78) and flagged the AcroForm object, but could not enumerate any embedded URLs, JavaScript actions, or form POST endpoints. The encryption wall held.
The FBI IC3 2024 Annual Report recorded $16.6 billion in cybercrime losses, with phishing remaining the most reported complaint category. Encrypted attachments are a growing share of that volume because they exploit a structural limitation: scanners need plaintext to analyze content, and encryption denies exactly that.
See Your Risk: Calculate how many threats your SEG is missing
The attacker's operational design is deliberate. Delivering the passcode in the email body means the recipient has everything needed to open the file. No second channel, no callback, no friction. But every automated system between the sender and the inbox lacks the logic to extract the passcode from the body, apply it to the attachment, and then analyze the decrypted content. That gap is the entire attack surface.
AcroForms inside encrypted PDFs are particularly dangerous. Unlike simple URL redirects, AcroForm fields can collect credentials natively within the PDF viewer. A victim types their password into what looks like a document portal login, and the form submits to an attacker-controlled endpoint. No browser redirect. No suspicious URL in the address bar. The Verizon DBIR 2024 found that credentials were involved in over 50% of breaches, and techniques like this show why: the credential collection happens inside trusted document viewers, not on suspicious web pages.
The DKIM signature was issued for NETORGFT4023857.onmicrosoft[.]com, a Microsoft 365 small business tenant identifier. The domain itself runs on GoDaddy DNS (NS21.DOMAINCONTROL.COM, NS22.DOMAINCONTROL.COM) with client-lock status flags across delete, renew, transfer, and update operations. This is not a throwaway domain. It is an established business with over two decades of registration history.
The Microsoft Digital Defense Report 2024 documented a significant increase in compromised legitimate accounts being used as phishing infrastructure. Compromised accounts are valuable precisely because they inherit clean reputation. Every reputation-based filter, every authentication check, every sender-history model sees a trusted entity.
This was also a first-time sender to the target organization. That signal alone should carry weight. A never-before-seen sender from an unrelated industry, sending a password-protected PDF with a three-line body, is a pattern that behavioral detection catches where authentication-only models cannot.
| Type | Indicator | Context |
|---|---|---|
| Sender Email | rickeley@iscfire[.]com | Compromised M365 account |
| Sender Domain | iscfire[.]com | Fire protection services, registered 2004-06-21 |
| DKIM Domain | NETORGFT4023857.onmicrosoft[.]com | Microsoft 365 small business tenant |
| Attachment | Rickeley Iscfire.pdf | Encrypted PDF with AcroForm, 384KB |
| MD5 | e836dc645e6ed08bcd4927804bf663dc | PDF file hash |
| SHA256 | f14555e47f4d007dbe76f1edbd795934f2f39379908f38f2df3f27d8c3941d7e | PDF file hash |
| Passcode | [redacted] | Delivered in email body |
| MITRE ATT&CK | T1566.001 | Spearphishing Attachment |
| MITRE ATT&CK | T1204.002 | User Execution: Malicious File |
| MITRE ATT&CK | T1027 | Obfuscated Files or Information |
Authentication is necessary but insufficient. This email passed SPF, DKIM, DMARC, ARC, and composite authentication. If your detection model stops at authentication results, this email is invisible.
Encrypted attachments require behavioral analysis, not content scanning. When a scanner cannot open the file, the detection burden shifts to signals around the email: first-time sender, low personalization, passcode-in-body pattern, attachment metadata (AcroForm presence is detectable even without decryption in some implementations), and cross-referencing the sender domain against the recipient's communication history.
Three specific recommendations for defenders:
Flag passcode-in-body patterns. Any email delivering a password alongside an encrypted attachment should trigger elevated scrutiny. This is a well-documented social engineering pattern (CISA phishing guidance), and legitimate document-sharing workflows rarely embed decryption keys in the same message.
Treat quarantine releases as high-risk events. This email was caught by Microsoft's own filters, quarantined, and then released. Organizations should implement secondary review for quarantine release actions, especially for messages flagged as high-confidence phishing (HPHISH).
Weight first-time sender signals heavily for encrypted attachments. A never-before-seen sender delivering an encrypted file with a three-line body is a pattern cluster. According to the IBM Cost of a Data Breach 2024 report, the average breach cost reached $4.88 million. The cost of pausing to verify a first-time sender is zero. The cost of not pausing is measurable in millions.
The attacker in this case did not need sophisticated infrastructure. They did not need novel malware. They needed one compromised mailbox, one encrypted PDF with form fields, and the knowledge that authentication results would do half their work for them.