The subject line read "[FAX] 300564241." The body contained two lines: "Proof of pregnancy" and "Sent from my iPhone." An HTML attachment sat at the bottom of the message, 24,669 bytes, waiting to be opened.
It arrived from a Gmail address, morgancgooding@gmail[.]com, with full SPF, DKIM, and DMARC authentication. This was not a spoofed sender. Google's infrastructure confirmed the message was legitimately sent through Gmail. Every automated scanner that evaluated the attachment returned a clean verdict.
The curiosity factor was the entire weapon. The bizarre combination of a fax notification and a pregnancy reference created exactly the kind of cognitive dissonance that makes people click. That instinct to investigate is what social engineering exploits at scale.
The HTML file, named a1f939ee-aacc-49c9-8488-8b0e537c0aac.html, carried an MD5 hash of 71c8586fc813ed173c905f09756b3364. At nearly 25KB, it was large enough to contain substantial obfuscated JavaScript and a full credential harvesting form.
HTML attachment phishing works because the payload executes locally in the recipient's browser, not on a remote server. There is no URL for a gateway to scan. There is no domain reputation to check. The file renders from the local filesystem, presenting a login form or data collection page that captures credentials and transmits them to an attacker-controlled endpoint.
In this case, the sandbox environment could not even extract the file's contents, returning a FileNotFoundError during automated analysis. When a scanner cannot inspect a file, it typically defaults to a clean verdict. The attachment passed every gate.
The email body contained no links, no corporate branding, no urgency language, and no instructions. The "Sent from my iPhone" signature is a stock iOS footer that adds a layer of casual legitimacy. The entire social engineering payload was compressed into three elements: a fax number in the subject, a provocative phrase in the body, and an HTML file that answered the question the recipient was already asking.
This is a credential harvesting technique that inverts the typical phishing model. Instead of building an elaborate pretext to convince the recipient the email is legitimate, the attacker built a pretext so strange that the recipient's curiosity overrides their caution.
Adaptive AI flagged the message based on first-time sender signals, the mismatch between the Gmail sending address and the fax notification pretext, and behavioral patterns associated with HTML attachment delivery. The gateway quarantined the message before the recipient could open the file.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender Email | morgancgooding@gmail[.]com | Real or compromised Gmail account |
| Subject | [FAX] 300564241 | Fax notification pretext |
| Attachment | a1f939ee-aacc-49c9-8488-8b0e537c0aac.html | HTML credential harvesting file (24,669 bytes) |
| Attachment Hash (MD5) | 71c8586fc813ed173c905f09756b3364 | HTML file hash |
| Scanner Verdict | Clean | All automated scanners returned clean |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Attachment | T1566.001 | HTML attachment delivering credential harvesting payload |
| User Execution: Malicious File | T1204.002 | Requires recipient to open HTML file in browser |
| Attack | What happened |
|---|---|
| 136 Bytes Was All It Took: The SVG That Redirected to a Credential Harvest | A 136-byte SVG attachment used a JavaScript onload event to redirect the browser to a credential-harvesting page. |
| The Webinar Invite That Came With an Apple Wallet Pass and a Three-Hop Redirect Chain | A Google Calendar invite for a fake AI webinar passed full authentication and carried an .ics file, an Apple Wallet .pkpass. |
| The Bank Statement You Had to Unlock With Your Birthday: PII-Gated PDF Evasion From Authenticated Infrastructure | A fully authenticated email from banking infrastructure delivered a password-protected PDF that required the recipient's mobile number and date of birth... |
| The Employee Handbook That Built Its Own Links at Runtime | An HTML attachment contained zero forms and zero URLs in its static markup. |
| The Voicemail That Wasn't: How Calendar File Attacks Bypass Email Security | An attacker sent an empty email with a voicemail-themed .ics calendar attachment from a Japanese domain while impersonating a US financial services... |