Most phishing emails try to hide what they are. This one accidentally revealed exactly what it was. The greeting line read "Hi 0," with the raw template variable still in place, exposing the automated mail-merge system that was supposed to personalize the message before sending it. The recipient's email address, formatted as a Mustache-style placeholder, was the first thing anyone reading the email would see.
The message contained no links. No attachments. No credential forms. The only call-to-action was a request to reply "OK" if interested in a free website audit. That reply is the entire payload.
The email was flagged by antispam engines with SCL=5 and routed to Junk. One mailbox was quarantined.
The email arrived from edithfisher198896@gmail[.]com with the display name "Edith." The subject line was one word: "Results." The body offered a website audit, SEO optimization, and custom design services, formatted as a brief marketing pitch. The CTA at the end asked the recipient to reply "OK" to proceed.
The template variable in the greeting was not a typo. It was a mail-merge token that the sending system was supposed to replace with the recipient's name or a generic greeting before dispatch. When the system failed to substitute the variable, it delivered the raw token, including the recipient's exact email address inside double curly braces. This tells us three things about the campaign: it runs on an automated template engine, the recipient's address was in the attacker's contact database, and the system had a processing failure that revealed its internals.
The body text itself was generic and professionally written, offering services that a legitimate freelancer might provide. There was no urgency language, no invoice, no account-suspension threat. The quality of the copy was high enough that without the template error, it could pass as unremarkable cold outreach.
See Your Risk: Calculate how many threats your SEG is missing
The message authenticated cleanly against Gmail's infrastructure. SPF passed for gmail.com. DKIM passed with a valid signature under d=gmail.com. DMARC passed. The sending IP resolved to mail-pf1-x432[.]google[.]com, confirming the message originated from Google's mail servers. Authentication was technically sound.
The X-Mailer header, however, claimed "Microsoft Office Outlook 12.0." This is Outlook 2007. The message was submitted to smtp.gmail.com from a client identifying as DESKTOPKC6DVET over ESMTPSA, meaning someone used an Outlook desktop client configured to send through a Gmail account. This configuration is not inherently malicious, but the combination of a personal Gmail address, a decade-old Outlook version string, and a mass-mail template is not the profile of a legitimate freelance web designer.
A public identity search for "Edith" or "edithfisher198896" returned no verifiable professional identity, no portfolio, no business registration, and no social media presence. The sender was a first-time contact to the recipient organization and was flagged as high risk by the platform.
IRONSCALES Adaptive AI classified the message as a vendor scam at 71% confidence, detecting the combination of unsolicited outreach, unverifiable sender identity, and anomalous message structure. The mailbox was quarantined after manual analyst confirmation.
The absence of links and attachments is not a limitation of the attack. It is the design. The message exists to validate the mailbox and establish a response pattern. When a recipient replies "OK," the attacker learns four things: the address is deliverable, it is monitored by a human, that human is willing to engage with unsolicited outreach, and the response came from a specific role (in this case, an info@ mailbox, suggesting it routes to operations or sales).
This intelligence feeds the second stage. The follow-up email, which arrives days or weeks later from a different address, will contain the actual payload: a credential-harvesting link, an invoice requiring payment, or a proposal document that requires login to access. The follow-up message will reference the prior exchange ("As discussed, please find the proposal attached") to bypass the recipient's suspicion. Because the recipient initiated the conversation, the follow-up feels expected rather than unsolicited.
This two-stage pattern defeats content-based email scanners at the first stage because there is nothing to scan. No URLs to resolve. No attachments to sandbox. No credential forms to detect. The message is, by every content-based measure, clean.
| Technique | ID | Application |
|---|---|---|
| Phishing for Information | T1598 | Reply-bait to validate active mailboxes and willingness to engage |
| Gather Victim Identity Information: Email Addresses | T1589.002 | Automated template system targeting role-based email addresses |
| Type | Indicator | Context |
|---|---|---|
| Sending Email | edithfisher198896@gmail[.]com | Personal Gmail, no verifiable identity |
| Display Name | Edith | Generic, no surname |
| X-Mailer | Microsoft Office Outlook 12.0 | Outlook 2007 client string, inconsistent with Gmail delivery path |
| Subject | Results | Single-word, vague subject |
| Template Variable | Hi 0 | Exposed mail-merge token in greeting |
| CTA | Reply "OK" | Mailbox validation technique |
| SPF Result | Pass (gmail.com) | Authenticated via Google infrastructure |
| DKIM Result | Pass (d=gmail.com) | Valid signature |
| SCL | 5 | Routed to Junk by antispam engines |
| Client IP | 2401:4900:8847:150e:7cf6:3544:a495:c1d9 | Desktop client submitting via smtp.gmail.com |
Reply-bait reconnaissance emails are deliberately minimal. They carry no technical indicators of compromise beyond sender metadata. Detection must shift from content analysis to behavioral evaluation.
Flag first-time senders requesting replies to role-based addresses. An unsolicited message to an info@, billing@, or hr@ address that asks for a simple reply is a high-probability reconnaissance probe. The lower the friction of the CTA (one word, no action required), the more likely it is a validation attempt.
Treat exposed template variables as a campaign indicator. A raw token in a delivered email confirms automated mass-mail infrastructure. It also confirms the recipient's address is in the campaign's target list. This is actionable intelligence even if the message itself is benign.
Do not dismiss zero-payload emails as harmless. The absence of links and attachments means content-based scanners will clear the message. Behavioral models that evaluate sender history, CTA patterns, and personalization quality are the detection surface for this class of attack.