The Encrypted PDF Your Scanner Trusts Is Hiding the Link It Cannot Read

TL;DR An attacker delivered an encrypted PDF through a national insurance carrier's own authenticated mail infrastructure. SPF, DKIM, DMARC, and ARC all passed under the brand's own reject policy, so the message inherited a trusted reputation. Inside the PDF sat five clickable link objects whose destinations were obfuscated and locked behind RC4 encryption, invisible to static scanning. The email body supplied a callback phone number and address that did not match the real brand's published support contacts. No automated engine flagged it. A human analyst quarantined it three days after delivery.
Severity: High Phishing Impersonation Scanner Evasion MITRE: T1566.001 MITRE: T1027

The Trust Signal That Became the Hiding Place

Encryption is supposed to be the good guy. We tell users to look for it, we reward senders who use it, and gateways treat an encrypted document as a sign of a careful sender rather than a careless one. This attack inverts that assumption completely.

An eligibility specialist at a state health and human services agency received an email that looked, by every measurable signal, entirely legitimate. It came from a real, nationally known insurance carrier, through that brand's own mail infrastructure. It carried a professionally written body and a PDF attachment named for a specific beneficiary case. The attachment was encrypted. And that encryption is exactly what let the malicious links inside it slip past automated inspection untouched.

A secure email gateway, or SEG, is the legacy filtering layer most organizations still run in front of their mailboxes to scan inbound messages, links, and attachments. In this case the SEG had nothing to scan. The links were locked inside an encrypted file it could not open.

How the Message Moved

The mechanics here are quieter than a typical phishing teardown because so little of the attack happens in the open.

The email arrived from a Customer Service Analyst persona on the carrier's own domain. The body read: "Attached is the document requested. If you need further assistance, please contact Customer Service at 1-800-775-7894 or via email at mycustomerservice@[insurer-domain]. Please do not reply to this email." It referenced a single PDF attachment as the only action to take.

The attachment was a ten-page PDF, roughly 228 KB, named for a real beneficiary and a policy case reference. It was encrypted with RC4. Static analysis could open the wrapper but not the contents. Inside, the file carried five clickable link annotations, PDF objects 18, 20, 22, 26, and 28, each containing a /URI string that was non-ASCII and obfuscated. Because the document was encrypted, none of those destinations could be resolved. The scanner could confirm the links existed but could not see where they pointed.

That maps cleanly to two MITRE ATT&CK techniques: Phishing: Spearphishing Attachment (T1566.001) for the delivery, and Obfuscated Files or Information (T1027) for the encrypted, scrambled URIs that defeated inspection.

Why Authentication Did Not Save Anyone

Here is the part that should bother every defender. Every authentication check passed.

SPF, the record that authorizes which servers may send for a domain, passed. DKIM, the cryptographic signature that ties a message to its sending domain, passed and aligned to the brand's own domain. DMARC, the policy that tells receivers what to do when those checks fail, passed under the brand's own published reject policy. ARC passed. Microsoft's composite authentication scored the message at 100. The mail relayed through Microsoft 365, or O365, outbound protection, the same trusted hosted mail path that delivers billions of legitimate corporate messages a day.

This was not a spoofed look-alike domain. The message genuinely originated from the brand's own authenticated infrastructure, the strongest indicator that a real account or system was abused to send it. Authentication answers the question "did this come from where it claims," and the answer was an honest yes. What authentication cannot answer is "is the content safe." Those are different questions, and the gap between them is where this attack lived.

The Verizon 2026 Data Breach Investigations Report puts phishing behind 16 percent of initial access into breached environments, with credentials involved in 39 percent of incidents. The DMARC standard exists precisely to stop domain spoofing, and it works. It simply does not apply when the sender is the real domain. The Microsoft Digital Defense Report 2024 makes the same point about abuse of trusted cloud mail paths, and the FBI IC3 2024 report documents how brand-impersonation and business email fraud continue to lead reported losses.

The Detection Gap, Step by Step

Reconstruct the verdict chain and the blind spot is obvious.

The body links were three Microsoft support and aka.ms URLs, part of the standard external-sender warning banner, and they scanned clean. They were never the payload. The payload links were inside the encrypted PDF, and the scanner returned a clean verdict on the attachment because it found no JavaScript, no embedded executables, and no readable links. There was nothing to flag, because encryption had hidden everything worth flagging.

The social engineering reinforced the file. The callback phone number, 1-800-775-7894, and the email address in the body did not match the brand's primary published customer service line, 1-800-775-6000. An attacker who plants alternate contact details is building a trap for the careful user, the one who tries to verify and ends up calling the attacker.

No automated engine raised a strong verdict. There was no confident AI label, no decisive score. What ultimately stopped this message was a person: it was quarantined and approved manually three days after it landed in the inbox. Three days is a long time for a weaponized attachment to sit one click away from a government caseworker. The IBM Cost of a Data Breach 2024 report ties dwell time like that directly to higher breach costs: the longer a threat sits undetected, the more it costs to contain.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

All indicators are defanged. The encrypted PDF's true link destinations could not be resolved by static analysis and are intentionally not reproduced here, because they were never recovered.

TypeIndicatorContext
Lure brandA national insurance carrierInsurance brand impersonated; message sent from its own authenticated domain
Callback phone1-800-775-7894Body contact number; does not match the brand's published support line
Callback emailmycustomerservice@[insurer-domain]Body contact address on the brand domain; alternate to real support
Attachment[Beneficiary Name]_[Case Ref]__[DocID].pdfEncrypted (RC4) 10-page PDF, ~228 KB
Attachment MD5997ed2c1d2823043af0287cb0be4bb83File hash of the encrypted PDF
PDF objects18, 20, 22, 26, 28Clickable /URI annotations, obfuscated, unresolvable under encryption
Sending pathO365 outbound protection (compauth=100)SPF, DKIM, DMARC, ARC all pass

What Actually Closes This Gap

The lesson is not "block encrypted PDFs," because real organizations send them constantly. The lesson is that a clean static verdict on content you could not inspect is not the same as safe.

First, treat the unresolvable as suspicious. An encrypted attachment whose links cannot be decoded should route to sandbox detonation with decryption, or be held pending verification, not pass on a clean parse. IRONSCALES handles this through behavioral and content inspection that does not surrender when a file refuses to open. Our advanced malware and URL attack protection is built to detonate and decode rather than trust the wrapper.

Second, stop treating authentication as a content verdict. A message from a compromised but legitimate account passes everything. Detection has to read context, sender behavior, and intent, the work our Adaptive AI engine and Themis agentic SOC analyst perform on every message rather than scoring authentication and moving on.

Third, watch for the brand-owned channels that get abused most. When a real domain sends mail that does not behave like the brand, that drift is the signal. Microsoft 365 augmentation catches what native filtering and a SEG hand off as clean. Across 1,921 organizations and 35,000 plus security professionals, the pattern repeats: SEGs miss an average of 67.5 of every 100 mailboxes worth of attacks each month, and the misses cluster exactly here, in authenticated mail with content no scanner could read.

The encrypted PDF was not the clever part. The clever part was understanding that your scanner trusts what it cannot see.

Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.

Related attacks

Attack What happened
The GitLab Alert That Passed Every Filter (Except One Detail Nobody Checked)A GitLab sign-in alert cleared Proofpoint URL Defense and passed SPF/DMARC — then listed a private RFC1918 IP as the sign-in source.
The Phishing Simulation Platform That Powered a Real AttackA salary adjustment lure routed through SendGrid and a Carrd landing page used phishing kit images hosted on a commercial phishing simulation vendor's own...
Microsoft Bookings as a Weapon: When DMARC Says Trust Me and ARC Quietly DisagreesA phishing email sent from bookings.microsoft.com passed every authentication check.
The Timestamp That Gave It Away: Oracle Identity Cloud Phishing Targets K-12 with a Stale TimezoneA phishing email impersonating Oracle Identity Cloud targeted a Florida school district employee.
Fake Bounce Notice With Obfuscated 'Keep My Password' Link Routes Victims to a Webmail Credential-Harvesting PageAttackers spoofed a mailer-daemon bounce notification with zero email authentication, hiding a credential-harvesting link behind obfuscated display text.

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.