Table of Contents
A marketing manager at a marine manufacturing company opened her inbox to a short note in Italian from a supplier she knew. The subject line read simply: LOGO. The body announced that the supplier was sending over a file with everything about their new company logo, and offered to clarify anything. A signature image showed the supplier's anchor crest and the name of its managing director. Attached was a ZIP called Logo nuovo.zip.
Nothing about the message asked for money, credentials, or urgency. That is exactly what made it work. The payload was not in the words. It was in a file format your email gateway almost certainly does not open.
Two Verdicts on the Same Attachment
The interesting part of this case is that the same ZIP produced two opposite results.
A first-pass attachment scan returned clean. It looked at the file, saw an archive of design assets, and moved on. Deep content analysis disagreed sharply: it unpacked the archive, read what was inside, and scored the attachment at 0.90 with a CRITICAL rating.
That split is the entire story. Surface scanning checks the obvious things, including file extension, known-bad hashes, and plain executable signatures. It does not always unpack nested archives or parse the internal byte streams of vector and document formats. The deeper pass did, and it found markers that the surface pass was never built to look for.
A SEG, or secure email gateway, is the legacy appliance most organizations still rely on to inspect inbound mail. SEGs are tuned for the threats of the last decade: macro-enabled Office documents, portable executable binaries, and known malicious URLs. An archive full of design files sails past that tuning. The Verizon 2026 Data Breach Investigations Report describes a gateway-bypass mix in which roughly 10 percent of what reaches the inbox is malware-laden, a meaningful slice that does not depend on any link the user clicks. The format in this case was built to live in that slice.
What Was Actually Inside the ZIP
The 6.9 MB archive held 63 entries arranged like a real brand kit. Among them:
- BrandManual-NM.pdf, a brand-manual PDF whose data streams carried VBA-like markers, including strings such as Sub, Function, and vbaProject.
- Two EPS files, the vector versions of the supplier logo, each flagged with the same macro-like strings.
- A set of DOCX files that, notably, carried no macro hits at all.
- A separate PNG signature image that analysis judged low risk.
EPS stands for Encapsulated PostScript. It is the part most defenders overlook. An EPS file is not a static picture in the way a JPEG is. It is a PostScript program, a set of instructions a rendering engine executes to draw the image. That programmability is precisely why the format can carry more than artwork. VBA, short for Visual Basic for Applications, is the macro language that made Office documents a malware staple for years. When content inspection finds VBA-like code inside files that should contain only drawing instructions or document text, that is a signal worth stopping on.
We want to be precise about what the data shows and what it does not. The detection here is that macro-like code was present and scored as critical, not that a payload was observed running. The malicious mechanism is the delivery technique: programmable file types, seeded with code-like content, bundled in an archive behind a clean-looking PDF and image so shallow scanning declares the package safe. Whether the strings represent a fully armed dropper or an early-stage stager, the evasion design is the same, and it is the design that defeats a gateway.
Why EPS Is the Blind Spot
Map this to MITRE ATT&CK and it is a textbook case of Spearphishing Attachment, T1566.001, layered with obfuscated and packed content. The broader Phishing technique, T1566, frames the social engineering, while the nested-archive-plus-uncommon-format approach maps to defense evasion through obfuscation.
The blind spot is structural. Gateways inspect what they expect to be dangerous. EPS has a legitimate design pedigree, it is genuinely used in branding and print workflows, and it does not announce itself as code. So inspection logic that unpacks DOCX and XLSX to hunt for macros frequently treats EPS as an image and skips the parse. The Microsoft Digital Defense Report 2024 documents the steady migration of attackers toward formats and delivery paths that sit outside conventional detection, and an executable image format inside a design archive fits that pattern exactly.
The cost of the miss is not theoretical. The IBM Cost of a Data Breach research puts the global average breach near 4.9 million dollars, and the FBI IC3 2024 Annual Report tallies billions in annual losses where email is the entry point. A single clean-rated attachment is all it takes to start that chain.
The Sender Was Real, and That Is the Other Half
Authentication did not catch this because authentication was, in a narrow sense, satisfied. The message passed DKIM with a valid signature tied to the supplier's real domain. It had no SPF record and no DMARC policy, the mixed-authentication state that weakens spoofing protection but still allowed delivery on the strength of the DKIM pass.
DKIM, or DomainKeys Identified Mail, proves a message was signed by the claimed domain. It says nothing about whether the human behind the keyboard is trustworthy or whether the attached files are safe. Here the message came from a real supplier domain, carried a real employee's signature block, and even followed earlier legitimate correspondence between the two companies. It was also a first-time sender to the recipient mailbox.
The most likely reading is a compromised supplier account, the pattern known as vendor email compromise, where an attacker operates a genuine, authenticated mailbox to push malware into the supplier's trusted contacts. The authentication that should have been a safeguard instead laundered the attacker's reputation. You can read more on that dynamic in our overview of vendor email compromise and on why a DKIM pass is not a verdict on intent.
See Your Risk: Calculate how many threats your SEG is missing
Indicators of Compromise
| Type | Indicator | Context |
|---|---|---|
| File (ZIP) | Logo nuovo.zip | Archive carrying the flagged contents |
| Hash (MD5) | 23b7b1cdabc80991110a2f184b831206 | Logo nuovo.zip |
| File (PDF) | BrandManual-NM.pdf | PDF stream flagged with VBA-like strings |
| File (EPS) | Marongiu-logo-CMYK.eps | EPS flagged with macro-like strings |
| File (EPS) | Marongiu-logo-tintapiatta.eps | EPS flagged with macro-like strings |
| Hash (MD5) | 4adcba9460942d8e1de58ec0376e6903 | Decoy signature image, low risk |
| Auth state | SPF none, DKIM pass, DMARC none | Mixed authentication on a real supplier domain |
Note that the only URLs in the message body pointed to legitimate Microsoft support pages added by the receiving mail client, not attacker infrastructure. There is no malicious link to block here. The danger was entirely in the attachment.
What Defenders Should Take From This
Stop treating attachment scanning as a hash-and-extension check. Unpack nested archives, parse the internal streams of document and vector formats, and flag code-like content wherever it has no business being. EPS, RTF, OneNote, and similar programmable formats deserve the same scrutiny as a macro-enabled spreadsheet.
Stop treating a passing authentication result as a clean bill of health. Detection has to assume the sender can be both genuine and compromised, and weigh behavioral signals such as a first-time sender, a mixed-auth posture, and an unusual attachment type alongside the auth verdict. That is the design behind behavioral, AI-driven advanced malware and URL protection that scores the message rather than trusting the envelope.
The logo was a pretext. The brand manual was a prop. The real work was choosing a file format your gateway was never built to open, and a sender it had every reason to trust.
Related attacks
| Attack | What happened |
|---|---|
| The Security Tools That Became the Camouflage | Attackers routed a malware payload through TitanHQ link-lock and a Cisco-wrapped redirect. |
| The DKIM Key That Was Too Small to Verify: When Cryptographic Weakness Becomes a Detection Gap | A BEC attack impersonated a VIP executive using exact display-name matching, requesting sensitive financial documents. |
| The PDF That Passed Authentication and Hid an Executable Inside Its Object Streams | A lookalike domain passed SPF, DMARC, and ARC checks while delivering PDFs with 27 embedded MZ executable signatures hidden inside compressed object... |
| The Utility Invoice That Passed Every Authentication Check and Hid Executables Inside the PDF | A digitally signed invoice PDF from a legitimate Hungarian utility passed SPF, DKIM, DMARC, and every scanner in the chain. |
| A Security Vendor's URL Defense Became the Attacker's Best Disguise | Attackers hijacked a real supplier email thread and weaponized Proofpoint URL Defense to wrap five malicious links in trusted redirect tokens. |
Explore More Articles
Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.