The FedEx Email Was Real, the PDF Was an Image, and the Sandbox Saw Nothing

The email came from FedEx. Not a lookalike domain. Not a spoofed header. The actual fedex[.]com infrastructure, with SPF, DKIM, and DMARC all passing. The subject line referenced a real air waybill format: "Pre-arrival Notification TH from FedEx AWB# 886382800188." The body requested customs clearance action on an incoming shipment.

Attached was a three-page PDF. Inside: customs documentation rendered entirely as images. No selectable text. No embedded fonts. No metadata that a text-based scanner could extract. When the sandbox attempted OCR on the images, it failed. Three pages of content, and the automated analysis pipeline saw nothing.

This is sandbox evasion through content format rather than code obfuscation. The attacker did not need to encrypt the file or embed malicious scripts. They just made the content unreadable to machines.

Legitimate Infrastructure, Compromised Account

The sending address was chakris.punnoi@fedex[.]com. SPF passed for FedEx's authorized sending infrastructure. DKIM passed for fedex[.]com. DMARC aligned. A secondary DKIM signature for myfedex[.]onmicrosoft[.]com failed, suggesting the message was also routed through a Microsoft 365 tenant associated with FedEx's internal systems.

Every link in the email body pointed to legitimate fedex[.]com resources. There were no attacker-controlled domains in the message. The PDF file, 886382800188_1126135231_13657.pdf, was 79,559 bytes across three pages with a creation date of November 26, 2025, four months before the email was sent.

Two signals pointed toward a compromised account rather than a legitimate shipment. The greeting used a misspelled generic salutation instead of addressing the recipient by name, a grammatical error inconsistent with FedEx's professional communications. And the To field included bestfreightaey15@gmail[.]com alongside the primary recipient, an unexpected personal Gmail address in what should have been a B2B customs notification.

The Scanner Blind Spot That Images Create

Text-based PDF analysis is the backbone of most email security scanning. Scanners extract text, evaluate it against threat signatures, and check embedded URLs. An image-based PDF defeats all three steps. The text extraction returns nothing. There are no signatures to match. And URLs rendered as pixels in an image are invisible unless the scanner runs OCR successfully.

The PDF's creation date of November 2025 introduced an additional anomaly. Legitimate customs notifications are generated at the time of shipment, not months in advance. A document created four months before the email suggests either template reuse or a pre-staged impersonation kit waiting for deployment through a compromised account.

Adaptive AI flagged the behavioral convergence: a first-time sender from FedEx infrastructure, an image-only PDF with failed OCR, grammatical anomalies in the greeting, and an unexpected Gmail recipient mixed into the delivery list. The message was quarantined before the recipient could act on the customs clearance request.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping