The email landed in a senior HR executive's inbox at a cybersecurity firm. Five sentences. No links. No attachments. Nothing a scanner could quarantine.
The subject said they had spoken before.
"RE: Complete Accountants or bookkeepers Expert"
The "RE:" was manufactured. There was no prior thread. The attacker built the illusion of a relationship out of two characters and a familiar-sounding topic.
That was the entire technical payload.
Business Email Compromise in its most stripped-down form is not a technical exploit. It is a conversation gambit. The goal of this message was not to deliver malware or steal credentials. It was to get a phone number.
The sender, "Grace Ray" from ray.webconsultant@hotmail[.]com, posed as a bookkeeping firm representative. The body referenced a previous outreach about accounting services and asked for availability and a direct phone number.
No urgency. No threat. No authority impersonation.
HR and finance contacts control payroll, vendor payments, and employee data. A polite inquiry appearing to reference a prior exchange does not read as an attack. It reads as a follow-up. According to the FBI's 2024 Internet Crime Report, BEC generated over $2.77 billion in reported losses in a single year. The median BEC does not open with a wire transfer demand. It opens with a message designed to establish credibility.
The attacker did not rely solely on the content to do its work. The delivery mechanism itself was engineered for evasion.
The fake reply thread. The "RE:" prefix signals an existing conversation to both the recipient and any automated classifier. The References and In-Reply-To headers reinforced the illusion with three fabricated Message-IDs implying a multi-message exchange going back days. Thread-reply signals are commonly associated with legitimate mail and can reduce suspicion scoring in rule-based systems.
BCC delivery. The To header showed the sender's own address. The victim's mailbox received the message via BCC, meaning the recipient's address appeared nowhere in the visible headers. A security analyst reviewing the headers would see only the attacker's address with no visibility into who else received the same email.
The read receipt as reconnaissance. The Disposition-Notification-To header pointed to ray.webconsultant@hotmail[.]com. When the recipient opens the message, their email client fires an automatic notification to the attacker confirming the mailbox is active. No click required. No link followed. This is live-mailbox enumeration without a tracking pixel, without a URL, and without any artifact that link-scanning tools can evaluate.
All three mechanisms operate entirely in the header layer. The body could contain completely benign text and the attack infrastructure would still function.
See Your Risk: Calculate how many threats your SEG is missing
The email arrived through Microsoft's outbound Exchange Online Protection infrastructure from IP 2a01:111:f403:d409::1 (PTR: mail-centralindiaazolkn190110001.outbound.protection.outlook[.]com). SPF passed, DKIM passed, DMARC passed. Composite authentication returned compauth=pass reason=100. A real Hotmail account, properly configured, using exactly the infrastructure it is authorized to use.
Authentication was never a variable in this attack. No spoofed domain. No compromised vendor account. A free webmail address, a short text body, and three header choices were sufficient.
Microsoft's spam scoring assigned SCL:5 and SFV:SPM, correctly identifying the bulk-send pattern. What spam scoring cannot determine is whether a message that looks like mass outreach is the opening move of targeted financial fraud. The Verizon 2026 Data Breach Investigations Report attributes 62% of breaches to the human element. Text-only social engineering is the attack surface that authentication controls were never built to evaluate.
A phone number is not the end goal. It is the bridge.
Voice calls allow impersonation with no sender authentication to inspect. SMS bypasses every email control in place. The vishing follow-up is a documented BEC escalation pattern: gather just enough through low-risk initial contact to enable a higher-value move, mapped to MITRE ATT&CK T1598 (Phishing for Information).
For an HR executive, the downstream scenarios are specific: payroll redirect, W-2 exfiltration, direct deposit change, vendor payment authorization. Many workflows require a verbal confirmation call. The attacker with a phone number and a fabricated prior email thread is positioned to make that call.
IRONSCALES Phishing SOC Agent analysis flagged this message at 90% confidence and automatically quarantined it before the recipient saw it. No link to detonate. No attachment to sandbox. No URL reputation to query.
The detection surface was behavioral:
Disposition-Notification-To on an unsolicited free-webmail message correlates with list-harvesting campaigns.No single signal was sufficient in isolation. The combination established a behavioral fingerprint the system could act on automatically.
The standard defensive question, "what is the malicious artifact?", has no answer here. The attack exists entirely in header choices and five sentences of text.
Fake thread indicators. "RE:" or "FW:" subject prefixes from first-time external senders, especially when References and In-Reply-To cite Message-IDs with no corresponding inbound message, warrant scrutiny regardless of content.
BCC as a targeting signal. Inbound external email where the recipient does not appear in To or CC should be treated as potentially mass-targeted. The concealment is intentional.
Read-receipt requests from first-time senders. Disposition-Notification-To on unsolicited external email is reconnaissance. Disabling automatic read-receipt responses at the server level removes this data channel from attackers.
Phone-number solicitation. Any unsolicited external email requesting a direct number should be flagged for human review before any response is sent.
BEC Protection that depends on analyzing payload content scores this email at near-zero risk. There is no payload. Detection requires modeling communication patterns, sender history, and header consistency, then acting on the combination before an artifact appears.
The attack was text. The detection was behavioral. The gap between those two is where most email security stacks still live.
---
| Indicator | Type | Notes |
|---|---|---|
| ray.webconsultant@hotmail[.]com | Sender address | Attacker-controlled free Hotmail account; first-time external sender |
| 2a01:111:f403:d409::1 | Sending IP | Microsoft EOP outbound (Hotmail); legitimate infra used for malicious send |
| mail-centralindiaazolkn190110001.outbound.protection.outlook[.]com | PTR record | Reverse DNS for sending IP; confirms Hotmail outbound routing |
| ray.webconsultant@hotmail[.]com | Read-receipt target | Disposition-Notification-To set to attacker address for inbox validation |
---
| Technique | ID | Relevance |
|---|---|---|
| Phishing | T1566 | Unsolicited email with social engineering pretext targeting HR contact |
| Phishing for Information | T1598 | Read receipt as passive inbox validation; direct solicitation of phone number for off-channel escalation |
| Impersonation | T1656 | Fabricated "RE:" thread subject and multi-message References chain to manufacture familiarity and trust |
| Attack | What happened |
|---|---|
| Perfect Authentication, Zero Payload: The Yahoo Free-Mail BEC That Microsoft Flagged but Didn't Block | A Yahoo free-mail account with perfect SPF, DKIM, and DMARC authentication sent a zero-payload account change request to a state government health agency. |
| The Payroll Change Request That Passed Every Authentication Check | A zero-payload BEC email requesting a payroll direct deposit change passed SPF, DKIM, and DMARC using a free Gmail account. |
| The CEO's Name Was Real. The Mailjet Account Behind It Wasn't. | An attacker impersonated the CEO of an email security company using a legitimate Mailjet ESP account with full SPF/DKIM pass. |
| No Links. No Attachments. Just a Polite Request for Every Employee's W-2. | An email requesting complete W-2 forms for all employees contained zero links, zero attachments, and zero malicious indicators. |
| The Anonymous Complaint That Was Actually a Data Extraction Operation | An anonymous complaint from a Gmail account passed SPF, DKIM, and DMARC, contained no links and no attachments, and requested Jira audit logs. |