TL;DR A first-time Hotmail sender (MaribethAlexa946L20@hotmail[.]com, display name 'Alexa Maribeth') delivered a one-page PDF attachment to a recipient. The email body contained only a token string (XBUM-174105-SH6OEE-O40F18) and the recipient's name, forcing the target to open the attachment for context. The PDF carried Geek Squad branding with a Windows Defender reference, a fabricated charge, and a 24-hour cancellation/refund deadline. The PDF creator tag was wkhtmltopdf 0.12.6, an open-source HTML-to-PDF rendering engine, revealing that the invoice was mass-produced from an HTML template rather than manually crafted. The only actionable element in the PDF was a mailto link pointing to heather@theaterchurch[.]com, not a phone number. Replying to that address likely initiates a callback scam where the attacker pivots the victim to a phone conversation for remote access or payment extraction. The PDF contained no JavaScript, no AcroForm fields, no embedded files, and no HTTP links. Every automated scanner returned a clean verdict. SPF, DKIM, and DMARC all passed for hotmail[.]com via Microsoft outbound infrastructure. IRONSCALES Adaptive AI flagged the behavioral anomalies and quarantined the message.
Severity: High Callback Phishing Brand Impersonation Invoice Fraud MITRE: {'id': 'T1566.001', 'name': 'Phishing: Spearphishing Attachment'} MITRE: {'id': 'T1656', 'name': 'Impersonation'}
The email body was two lines: a token string and a name. Nothing else. The entire attack lived inside the PDF attachment, and the PDF contained nothing a scanner would flag.
In late 2025, IRONSCALES detected a TOAD (Telephone-Oriented Attack Delivery) campaign built on a fake Geek Squad invoice. The invoice was not hand-crafted. The PDF creator metadata read wkhtmltopdf 0.12.6, an open-source HTML-to-PDF rendering engine. This was factory output. The only actionable element in the document was a mailto link to an address at a church domain. No links. No JavaScript. No malware. Clean across every scanner.
Two Lines in the Body, Everything Else in the Attachment
The email arrived from MaribethAlexa946L20@hotmail[.]com with the display name "Alexa Maribeth." First-time sender. HIGH risk classification. SPF, DKIM, and DMARC all passed for hotmail[.]com via Microsoft outbound infrastructure. Authentication was clean because the sender genuinely used Hotmail to send the message.
The body contained exactly two elements: the token XBUM-174105-SH6OEE-O40F18 and [Recipient Name]. No greeting. No context. No explanation of what the token meant or why it was sent.
This is deliberate minimalism. The body gives the recipient nothing to act on. The only way to understand the email is to open the attachment. The token string mimics a transaction reference number, creating the expectation that the attachment will explain it.
A PDF Built on an Assembly Line
The attachment was a one-page PDF carrying Geek Squad branding with a Windows Defender reference. It presented a fabricated charge and a 24-hour cancellation/refund deadline. The document had no JavaScript, no AcroForm fields, no embedded files, and no HTTP links. Every automated scanner returned a clean verdict because there was nothing technical to find.
The forensic tell is the creator tag: wkhtmltopdf 0.12.6. This is not a tool that end users run to create personal invoices. It is a command-line rendering engine that takes HTML input and produces PDF output. Attackers build phishing templates in HTML with variable placeholders for amounts, dates, reference numbers, and branding elements, then render each variant to PDF with a single command. One template, thousands of invoices, each with a unique token and amount.
The presence of wkhtmltopdf in the creator metadata is a production fingerprint. It tells you the PDF was not exported from Word, not saved from a browser, and not generated by any legitimate invoicing system. It was rendered from a template designed for volume.
The FTC's analysis of tech support and refund scams documents how attackers use fabricated charges and short refund windows to create urgency. The Geek Squad brand is among the most commonly impersonated in this category because it is widely recognized and associated with subscription-based services that consumers may not closely track.
The mailto That Replaces the Phone Number
Most TOAD attacks use a phone number as the sole call to action. This one used a mailto link: heather@theaterchurch[.]com.
The domain theaterchurch[.]com does not belong to Geek Squad, Best Buy, or any technology support organization. The personal name "heather" in the local part is meant to signal a real person on the other end. Whether the address routes to a compromised mailbox or one the attacker controls directly, the function is the same: establish contact, build rapport, and pivot to a phone call.
The vishing follow-up is predictable. The victim replies asking about the charge. The attacker responds with a phone number or initiates a call. On the phone, the "support agent" walks the victim through a "refund process" that involves granting remote desktop access, logging into a bank account, or entering payment information. The 24-hour deadline in the PDF is the pressure mechanism that keeps the victim moving through the funnel without pausing to verify.
This maps to MITRE ATT&CK T1566.001 (Phishing: Spearphishing Attachment). The PDF is the delivery vehicle. It does not exploit a vulnerability. It delivers a social engineering payload through visual content. T1656 (Impersonation) covers the Geek Squad and Windows Defender brand abuse that gives the invoice its credibility.
See Your Risk: Calculate how many threats your SEG is missing
Why Every Scanner Said Clean
The PDF contained no executable code, no form fields, no embedded objects, and no outbound network calls. A mailto link is not a URL that resolves to a server. It opens a local email client. There is no domain to reputation-check, no file to detonate, no redirect chain to follow. The SEG evaluated the technical surface and found nothing.
That is the entire point. The attacker did not need to evade detection. They built an attack with no detectable components. The payload is a branded image, a fabricated charge, a deadline, and a reply address. All of it is social engineering rendered as static content. Detection requires analyzing what the document says, not what it does.
Themis flagged the behavioral anomaly cluster: a first-time Hotmail sender, a near-empty body designed to force attachment opening, and a PDF with no technical payload but clear social engineering patterns. The message was quarantined before the recipient engaged.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sender Email | MaribethAlexa946L20@hotmail[.]com | First-time sender, display name "Alexa Maribeth" |
| Reply-to (mailto) | heather@theaterchurch[.]com | Only actionable element in the PDF attachment |
| Token | XBUM-174105-SH6OEE-O40F18 | Fabricated reference number in email body |
| PDF Creator | wkhtmltopdf 0.12.6 | HTML-to-PDF rendering engine, indicates template-driven mass production |
| Brand Impersonation | Geek Squad + Windows Defender | Mixed branding in a single invoice PDF |
| Authentication | SPF/DKIM/DMARC pass for hotmail[.]com | Legitimate Hotmail sending infrastructure |
| Urgency Mechanism | 24-hour cancellation/refund deadline | Standard pressure tactic for refund scam funnel |
MITRE ATT&CK Techniques
| Technique | ID | Relevance |
|---|
| Phishing: Spearphishing Attachment | T1566.001 | PDF invoice delivered as email attachment, containing social engineering payload |
| Impersonation | T1656 | Geek Squad and Windows Defender branding used to fabricate a legitimate-looking invoice |
What Defenders Should Watch For
Flag wkhtmltopdf in PDF creator metadata. Legitimate invoicing systems identify themselves by their application name (QuickBooks, Xero, SAP). A PDF claiming to be a branded invoice but created by wkhtmltopdf was rendered from an HTML template. This metadata field is trivial to check and rarely examined.
Treat mailto-only PDFs as TOAD variants. When the only actionable element in an attached document is a mailto link rather than a phone number, the engagement model is the same: initiate contact, build trust, pivot to phone. The mailto is the first hop in a callback scam, not the destination.
Correlate near-empty bodies with attachment-dependent attacks. An email body that contains only a token and a name is designed to force the recipient to open the attachment. Legitimate transactional emails include enough context in the body for the recipient to understand the message without opening anything.
Apply the 24-hour test. Any document imposing a deadline shorter than standard business processing times is using urgency as a manipulation tool. Geek Squad, Best Buy, and similar retailers do not require 24-hour responses for cancellations. The deadline exists to prevent the recipient from verifying the charge through official channels.
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
