The domain said Reuters. The infrastructure said Amazon. The attachment said nothing at all, because it was encrypted with AES and no scanner could read it. Inside that encrypted PDF were AcroForm interactive fields, a credential harvesting mechanism that operates entirely within the PDF reader and never touches a web browser. The email body, written in Portuguese, fabricated a legal thread about municipal tax obligations with links to real Brazilian legislation.
The sending domain reuters-articles[.]net was registered on April 3, 2026, through NameCheap with privacy-protected WHOIS. It existed for one purpose. The domain name borrows Reuters' global news brand while adding a generic suffix that makes it look like a content distribution subdomain. In a From header or quick visual scan, the distinction between reuters[.]com and reuters-articles[.]net is easy to miss.
The message was sent through Amazon SES from IP 54[.]240[.]7[.]37. SPF passed for amazonses[.]com. DKIM passed. DMARC aligned. Full authentication. The impersonation was layered: a brand-adjacent domain, authenticated through trusted cloud infrastructure, delivering content that looked like professional legal correspondence.
The attachment, BILL.com9860.pdf, was encrypted with AES v2 (128-bit). Inside the encrypted container, the PDF contained AcroForm fields, interactive form elements defined in the PDF specification that support text input, submission buttons, and HTTP POST actions to remote servers.
This is sandbox evasion at the file format level. The encryption does not require the attacker to use any exploit or vulnerability. AES encryption is a standard PDF feature. Every PDF reader supports it. But email scanners, sandboxes, and content inspection tools cannot decrypt the file without the password. They see a valid PDF structure, detect the encryption flag, and either mark the file as clean based on the outer metadata or flag it as "encrypted" without being able to explain what is inside.
The password was likely delivered through a separate channel or embedded in the email body, a common pattern where the phishing email provides the key that unlocks the payload.
The email body was not a generic lure. It contained a Portuguese-language exchange discussing municipal ISSQN tax obligations, formatted as a client-counsel conversation. Links in the thread pointed to leis[.]org, a legitimate Brazilian legislation database. These real links served two purposes: they would scan clean, and they reinforced the legal context of the conversation.
The combination was deliberate. A Reuters-branded domain delivered via Amazon SES with full authentication, a Portuguese legal thread with links to real government legislation, and an encrypted PDF that no scanner could inspect. Each layer addressed a different detection mechanism. The brand name bypassed visual inspection. The authentication bypassed gateway policies. The real links bypassed URL scanning. The encryption bypassed content analysis. Themis flagged the convergence of a first-time sender, a newly registered lookalike domain, and an encrypted attachment.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender Domain | reuters-articles[.]net | Registered Apr 3, 2026, NameCheap, privacy WHOIS |
| Sending IP | 54[.]240[.]7[.]37 | Amazon SES infrastructure |
| Auth Results | SPF: pass, DKIM: pass, DMARC: pass | Full authentication via SES |
| Attachment | BILL.com9860.pdf | AES v2 encrypted, AcroForm fields |
| Encryption | AES v2 (128-bit) | Scanner cannot inspect contents |
| Body Language | Portuguese | Fabricated ISSQN municipal tax thread |
| Legitimate Links | leis[.]org | Brazilian legislation database (real, not malicious) |
| Domain Age | Registered Apr 3, 2026 | Newly registered, NameCheap, privacy WHOIS |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Attachment | T1566.001 | Encrypted PDF with AcroForm credential harvesting fields |
| Obfuscated Files or Information | T1027 | AES encryption prevents scanner content inspection |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Reuters lookalike domain with Amazon SES authentication |
| Attack | What happened |
|---|---|
| The FedEx Email Was Real, the PDF Was an Image, and the Sandbox Saw Nothing | A pre-arrival notification from legitimate FedEx infrastructure carried an image-based PDF that contained no extractable text. |
| The Italian Certified Email That Wrapped Its Payload in S/MIME | A phishing email arrived through Italy's certified email system (PEC) with the payload wrapped in an S/MIME smime.p7m container. |
| The Bank Statement You Had to Unlock With Your Birthday: PII-Gated PDF Evasion From Authenticated Infrastructure | A fully authenticated email from banking infrastructure delivered a password-protected PDF that required the recipient's mobile number and date of birth... |
| The Subdomain That Fused Two Trusted Brands Into One Convincing Lie | Attackers fused two real brand names into a single subdomain, routed the message through Zix infrastructure to inherit enterprise authentication. |
| Two Security Vendors Scanned This Link and Both Said Clean | Attackers chained TitanHQ and Cisco link wrappers on the same malicious URL so each vendor scanned the other's wrapper and returned Clean. |