Table of Contents
The Trust Signal That Became the Hiding Place
Encryption is supposed to be the good guy. We tell users to look for it, we reward senders who use it, and gateways treat an encrypted document as a sign of a careful sender rather than a careless one. This attack inverts that assumption completely.
An eligibility specialist at a state health and human services agency received an email that looked, by every measurable signal, entirely legitimate. It came from a real, nationally known insurance carrier, through that brand's own mail infrastructure. It carried a professionally written body and a PDF attachment named for a specific beneficiary case. The attachment was encrypted. And that encryption is exactly what let the malicious links inside it slip past automated inspection untouched.
A secure email gateway, or SEG, is the legacy filtering layer most organizations still run in front of their mailboxes to scan inbound messages, links, and attachments. In this case the SEG had nothing to scan. The links were locked inside an encrypted file it could not open.
How the Message Moved
The mechanics here are quieter than a typical phishing teardown because so little of the attack happens in the open.
The email arrived from a Customer Service Analyst persona on the carrier's own domain. The body read: "Attached is the document requested. If you need further assistance, please contact Customer Service at 1-800-775-7894 or via email at mycustomerservice@[insurer-domain]. Please do not reply to this email." It referenced a single PDF attachment as the only action to take.
The attachment was a ten-page PDF, roughly 228 KB, named for a real beneficiary and a policy case reference. It was encrypted with RC4. Static analysis could open the wrapper but not the contents. Inside, the file carried five clickable link annotations, PDF objects 18, 20, 22, 26, and 28, each containing a /URI string that was non-ASCII and obfuscated. Because the document was encrypted, none of those destinations could be resolved. The scanner could confirm the links existed but could not see where they pointed.
That maps cleanly to two MITRE ATT&CK techniques: Phishing: Spearphishing Attachment (T1566.001) for the delivery, and Obfuscated Files or Information (T1027) for the encrypted, scrambled URIs that defeated inspection.
Why Authentication Did Not Save Anyone
Here is the part that should bother every defender. Every authentication check passed.
SPF, the record that authorizes which servers may send for a domain, passed. DKIM, the cryptographic signature that ties a message to its sending domain, passed and aligned to the brand's own domain. DMARC, the policy that tells receivers what to do when those checks fail, passed under the brand's own published reject policy. ARC passed. Microsoft's composite authentication scored the message at 100. The mail relayed through Microsoft 365, or O365, outbound protection, the same trusted hosted mail path that delivers billions of legitimate corporate messages a day.
This was not a spoofed look-alike domain. The message genuinely originated from the brand's own authenticated infrastructure, the strongest indicator that a real account or system was abused to send it. Authentication answers the question "did this come from where it claims," and the answer was an honest yes. What authentication cannot answer is "is the content safe." Those are different questions, and the gap between them is where this attack lived.
The Verizon 2026 Data Breach Investigations Report puts phishing behind 16 percent of initial access into breached environments, with credentials involved in 39 percent of incidents. The DMARC standard exists precisely to stop domain spoofing, and it works. It simply does not apply when the sender is the real domain. The Microsoft Digital Defense Report 2024 makes the same point about abuse of trusted cloud mail paths, and the FBI IC3 2024 report documents how brand-impersonation and business email fraud continue to lead reported losses.
The Detection Gap, Step by Step
Reconstruct the verdict chain and the blind spot is obvious.
The body links were three Microsoft support and aka.ms URLs, part of the standard external-sender warning banner, and they scanned clean. They were never the payload. The payload links were inside the encrypted PDF, and the scanner returned a clean verdict on the attachment because it found no JavaScript, no embedded executables, and no readable links. There was nothing to flag, because encryption had hidden everything worth flagging.
The social engineering reinforced the file. The callback phone number, 1-800-775-7894, and the email address in the body did not match the brand's primary published customer service line, 1-800-775-6000. An attacker who plants alternate contact details is building a trap for the careful user, the one who tries to verify and ends up calling the attacker.
No automated engine raised a strong verdict. There was no confident AI label, no decisive score. What ultimately stopped this message was a person: it was quarantined and approved manually three days after it landed in the inbox. Three days is a long time for a weaponized attachment to sit one click away from a government caseworker. The IBM Cost of a Data Breach 2024 report ties dwell time like that directly to higher breach costs: the longer a threat sits undetected, the more it costs to contain.
See Your Risk: Calculate how many threats your SEG is missing
Indicators of Compromise
All indicators are defanged. The encrypted PDF's true link destinations could not be resolved by static analysis and are intentionally not reproduced here, because they were never recovered.
| Type | Indicator | Context |
|---|---|---|
| Lure brand | A national insurance carrier | Insurance brand impersonated; message sent from its own authenticated domain |
| Callback phone | 1-800-775-7894 | Body contact number; does not match the brand's published support line |
| Callback email | mycustomerservice@[insurer-domain] | Body contact address on the brand domain; alternate to real support |
| Attachment | [Beneficiary Name]_[Case Ref]__[DocID].pdf | Encrypted (RC4) 10-page PDF, ~228 KB |
| Attachment MD5 | 997ed2c1d2823043af0287cb0be4bb83 | File hash of the encrypted PDF |
| PDF objects | 18, 20, 22, 26, 28 | Clickable /URI annotations, obfuscated, unresolvable under encryption |
| Sending path | O365 outbound protection (compauth=100) | SPF, DKIM, DMARC, ARC all pass |
What Actually Closes This Gap
The lesson is not "block encrypted PDFs," because real organizations send them constantly. The lesson is that a clean static verdict on content you could not inspect is not the same as safe.
First, treat the unresolvable as suspicious. An encrypted attachment whose links cannot be decoded should route to sandbox detonation with decryption, or be held pending verification, not pass on a clean parse. IRONSCALES handles this through behavioral and content inspection that does not surrender when a file refuses to open. Our advanced malware and URL attack protection is built to detonate and decode rather than trust the wrapper.
Second, stop treating authentication as a content verdict. A message from a compromised but legitimate account passes everything. Detection has to read context, sender behavior, and intent, the work our Adaptive AI engine and Themis agentic SOC analyst perform on every message rather than scoring authentication and moving on.
Third, watch for the brand-owned channels that get abused most. When a real domain sends mail that does not behave like the brand, that drift is the signal. Microsoft 365 augmentation catches what native filtering and a SEG hand off as clean. Across 1,921 organizations and 35,000 plus security professionals, the pattern repeats: SEGs miss an average of 67.5 of every 100 mailboxes worth of attacks each month, and the misses cluster exactly here, in authenticated mail with content no scanner could read.
The encrypted PDF was not the clever part. The clever part was understanding that your scanner trusts what it cannot see.
Related attacks
| Attack | What happened |
|---|---|
| The GitLab Alert That Passed Every Filter (Except One Detail Nobody Checked) | A GitLab sign-in alert cleared Proofpoint URL Defense and passed SPF/DMARC — then listed a private RFC1918 IP as the sign-in source. |
| The Phishing Simulation Platform That Powered a Real Attack | A salary adjustment lure routed through SendGrid and a Carrd landing page used phishing kit images hosted on a commercial phishing simulation vendor's own... |
| Microsoft Bookings as a Weapon: When DMARC Says Trust Me and ARC Quietly Disagrees | A phishing email sent from bookings.microsoft.com passed every authentication check. |
| The Timestamp That Gave It Away: Oracle Identity Cloud Phishing Targets K-12 with a Stale Timezone | A phishing email impersonating Oracle Identity Cloud targeted a Florida school district employee. |
| Fake Bounce Notice With Obfuscated 'Keep My Password' Link Routes Victims to a Webmail Credential-Harvesting Page | Attackers spoofed a mailer-daemon bounce notification with zero email authentication, hiding a credential-harvesting link behind obfuscated display text. |
Explore More Articles
Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.