The message body was one word. "FYI."
There were no links inside it, no calls to action, no urgency copy. The subject line referenced a work order and a credit confirmation. The From address was a local-part that looked like a fax service sending from a domain that had been registered since 1998. SPF passed. DKIM was absent. The attachment scanner returned clean.
The payload was a 12-kilobyte HTML file named to look like a fax work-order number.
This case is about what happens when the attacker moves every malicious element off the email body and into a file the scanner cannot fully examine. No link to detonate. No URL to score. No macro. The entire threat lives inside an attachment that looks like a fax notification.
The sending domain had been registered since 1998, nearly three decades old at the time of the attack. Age, by itself, is a credibility signal that both humans and filters weigh. An attacker who gains access to an old domain's outbound mail host inherits that reputation without having to build it.
The outbound path in this case ran through the domain's own webmail provider, a pair.com hosting stack. That IP was listed in the domain's SPF record, so the authentication check passed cleanly. DKIM was absent, which removes the cryptographic guarantee that the message content was not tampered with in transit. DMARC returned a best-guess pass rather than a definitive alignment result, a weaker signal than full DMARC enforcement would provide.
The Microsoft Exchange Online anti-spam stack assigned SCL=5 and routed the message to junk. That friction matters, but it is not a block. A recipient with permissive folder rules, or one looking for a misfiled message, can still open it.
The attachment was named FAX#93382529.html. The number mirrors the work-order reference in the subject line, giving the file a surface continuity with the email that makes it look like supporting documentation rather than a payload.
Inside, the lure presented as a fax-service notification. The pretext carried a HIPAA framing, which is a deliberate pressure mechanism. In healthcare-adjacent organizations, HIPAA urgency shortens the review window. The recipient is primed to act quickly on anything described as a compliance-sensitive communication. The buttons inside the attachment, labeled for login, reply, and download, each posted to a credential-harvest form hosted on Brevo's sibforms[.]com.
That hosting choice is the second evasion layer. Brevo is a legitimate marketing platform with a clean domain reputation. A URL-reputation check on sibforms[.]com returns nothing malicious because the domain itself is not malicious. The individual form path inherits the parent domain's clean score.
This is the structural problem with credential harvesting via trusted-platform forms. The attacker provisions a form on an existing legitimate service and points their fake login pages at it. The reputation gap between their objective and what the scanner measures is the entire attack surface.
The email body contained zero links. That is intentional. Every standard email security control that operates on URL content, sandbox detonation, reputation lookup, click-time scanning, had nothing to evaluate. The only artifact carrying attacker intent was the HTML file, and the scanner's verdict on the file was clean.
The technique maps to HTML smuggling at its core: moving the active content out of the detectable body and into an attachment that opens in the browser as a functional page. An HTML form renders a convincing interface and posts credentials when submitted. No macros, no obfuscation.
This maps to three MITRE ATT&CK techniques: Phishing: Spearphishing Attachment for the delivery mechanism, Phishing for Information: Spearphishing via Service for the harvest-form hosted on a third-party platform, and Masquerading for the filename that mimics a legitimate fax work-order reference.
A secure email gateway's primary detection surface is the message body: links to detonate, domains to check, content patterns to score. When that surface is empty, the detection load shifts entirely onto the attachment. Sandboxing an HTML file that renders a form and posts to a legitimate provider returns no malware verdict, because the form itself is not malware. The damage happens when the victim types their credentials and clicks submit.
What did fire were behavioral signals: first-time external sender, high sender-risk score, the absence of any prior relationship between the sending address and the affected mailboxes. Those signals do not depend on inspecting content. They depend on knowing what normal looks like for a given mailbox and recognizing that this message did not fit it.
| Type | Indicator | Context |
|---|---|---|
| Domain | [a compromised plumbing-company domain] | Compromised sender domain, registered 1998, webmail used as outbound relay |
| humblefax[@][compromised sender domain] | Attacker-controlled local-part on the compromised domain | |
| Attachment | FAX#93382529.html (MD5: 658bae79bac0928fea4cc423e792d212) | HTML fax-lure, 12,892 bytes, credential-harvest form inside |
| URL | hxxps://sibforms[.]com (Brevo form endpoint) | Credential-harvest form hosted on legitimate marketing platform |
| Auth | SPF pass, DKIM none, DMARC bestguesspass | Webmail relay authorized in SPF; no cryptographic content signature |
| Behavior | Zero body links | Entire payload in attachment; no URL detonation surface in body |
The attachment scanner returned clean, and the body gave URL analysis nothing to work with. Detection rested on first-time sender status, elevated sender-risk scoring, and the behavioral pattern of a single-word body paired with an HTML attachment on an aged domain that had never contacted these mailboxes before. Those signals are relationship-based, not content-based.
The FBI's IC3 2024 report documents credential theft as one of the most common enablers of downstream fraud. CISA's phishing guidance emphasizes that technical controls alone do not cover the gap when malicious content sits outside the inspectable body. The operational check is behavioral: treat HTML attachments from first-time senders with no prior correspondence as high-risk regardless of attachment scanner verdict.
See Your Risk: Calculate how many threats your SEG is missing
A secure email gateway inspects what it can reach. When the only active content is inside an HTML file that posts to a reputable third-party host, there is nothing for it to fault. IRONSCALES data shows SEGs miss an average of 67.5 phishing emails per 100 mailboxes each month. The defense is behavioral: who is this sender, have they ever reached this mailbox before, and why is the body a single word.
One word. One file. That is the entire attack surface the recipient saw.
| Attack | What happened |
|---|---|
| Sign Here, Get Phished: Inside an Adobe Sign Lure With a Multi-Hop Redirect to Credential Theft | An Adobe Sign e-signature lure routed recipients through a multi-hop redirect chain ending at fameklinik[.]com. |
| When the Safety Wrapper Becomes the Disguise: Brazilian NF-e Phishing via Safe Links Rewrite | A Portuguese-language invoice lure authenticated through a compromised Brazilian domain used is.gd to hide its payload. |
| The Email That Shipped With Its Template Tokens Still In It (And Still Worked) | An attacker's mail merge failed. |
| DocuSign Plus Invoice: A 12-Day-Old Domain and an esvalabs Redirect Chain That Scanners Missed | A phishing campaign combined DocuSign branding with an invoice thread pretext, sent from a 12-day-old privacy-protected domain via Amazon SES. |
| When the Phishing Kit Ships Early: Exposed Template Variables Reveal Attack Infrastructure | A premature phishing kit deployment exposed raw template variables in the subject line and a placeholder URL. |