The Geek Squad Invoice That Forgot Which Brand It Was Pretending to Be

An email with no subject line arrived at a community healthcare organization. The body was empty. The only content was a single JPEG attachment: a fabricated Geek Squad renewal invoice for $270, complete with a 24-hour cancellation deadline and a phone number. No links, no URLs, no scannable text. The entire phishing payload existed inside an image.

An Image as the Entire Attack Surface

The attachment, 34GE1RIEDYLJ.jpg (269 KB), contained everything the attacker needed the recipient to see. OCR extraction revealed a "Renewal Confirmation" header with Geek Squad branding, an invoice number (ET QW-728834-Z82803-ODVJVZ dated May 22, 2026), a line item for "Advanced Protection Plan 2/7" at $270.00, and a help desk number: 828-424-4048.

The urgency mechanic was standard callback phishing: "If you did not authorize this transaction, you have 24 hours to initiate a cancellation." The recipient does not need to believe they subscribed. They only need to feel uncertain enough to call.

This is Telephone-Oriented Attack Delivery (TOAD). There are no URLs for link scanners to evaluate, no attachments with executable content for sandboxes to detonate, and no text-based indicators for NLP engines to parse. The attack lives entirely in pixel data, which means detection depends on whether the security stack performs image analysis or OCR.

The Brand Mismatch That Revealed the Assembly Line

The header said "Geek Squad." The footer said "Copyright; 2026 Windows Defender." Two different brands in the same invoice. This is not a sophisticated technique failure. It is a template management failure. The attacker recycled an invoice template from a Windows Defender campaign and did not update the footer.

This kind of brand mismatch is a reliable indicator of industrialized phishing operations running multiple campaigns from a shared template library.

See Your Risk: Calculate how many threats your SEG is missing

Authentication and Infrastructure

The email was sent from stubin1178@hotmail[.]com (display name "Raymond Herman") and relayed through a FortiMail cloud gateway (IP 148[.]230[.]56[.]132). SPF failed at the final hop because the FortiMail relay was not included in Hotmail's SPF record. DKIM passed with d=hotmail[.]com. DMARC passed. Microsoft assigned SCL=5 with a CAT=PHISH designation.

The FortiMail relay introduced the SPF failure, but the original authentication chain was valid. This is a common pattern when organizational gateways relay inbound mail: the additional hop breaks SPF alignment even when the original sender's infrastructure is properly configured.

What Caught It

Themis flagged the message at 90% confidence with labels including "Vishing Attack," "Image-Based Attack," and "VIP Recipient." The detection was not based on a malicious URL or a known-bad sender. It was based on the convergence of behavioral signals: a first-time sender with an empty subject line, an image-only payload matching known TOAD invoice patterns, and a high-value recipient at a healthcare organization.

What to Watch For

Image-only payloads with no subject line and no body text are a strong TOAD indicator. If your email security stack cannot perform OCR on image attachments, callback phishing with image payloads will consistently bypass detection.

Indicators of Compromise

MITRE ATT&CK Mapping