TL;DR A Hebrew-language invoice fraud attack arrived as an HTML attachment generated by Priority ERP software, complete with full SPF, DKIM, and DMARC authentication on the legitimate sender domain. The attachment was built to self-render from a localhost origin (127.0.0.1), meaning URL scanners had no external domain to evaluate. Bank transfer instructions were embedded directly in the email body and reinforced inside the HTML file, which contained base64-encoded image blobs and external font loads from a third-party infrastructure host. IRONSCALES Adaptive AI flagged the behavioral mismatch at 83% confidence.
Severity: High Invoice Fraud Credential Harvesting Scanner Evasion MITRE: T1566.001 MITRE: T1036.005 MITRE: T1027
The HTML attachment was 37 kilobytes, generated by Priority ERP software, and addressed to an invoice processing mailbox at a global manufacturing company. It contained bank transfer instructions, an embedded base64 image blob, and a localhost origin reference that told the recipient's browser to render the entire document from 127[.]0[.]0[.]1. No external phishing domain. No redirect chain. Nothing for a URL scanner to follow.
SPF passed. DKIM passed. DMARC passed with compauth=pass reason=100. The sending domain belonged to a well-known Israeli industry association, registered and active for years. Every technical authentication check confirmed the message was sent from authorized infrastructure.
The email body contained explicit wire transfer instructions to a specific bank branch and account number. The HTML attachment reinforced those details inside a polished ERP-generated order confirmation. For a finance team processing dozens of invoices daily, this looked like routine business correspondence from a legitimate sender.
Self-Rendering HTML: The Scanner Blind Spot
The first line of the HTML attachment after the DOCTYPE declaration was a comment: saved from url=(0016)hxxp://127[.]0[.]0[.]1. This is a Microsoft-origin "Mark of the Web" directive that tells rendering engines the document originated from localhost. When a recipient opens this attachment in a browser or email client preview, the content renders entirely from the local file system.
This matters because Secure Email Gateways and URL scanning engines work by extracting links from messages and evaluating them against reputation databases, sandbox detonation, or real-time crawling. An HTML file that renders from localhost and embeds its visual assets as base64 data URIs generates zero outbound network requests at the point of evaluation. The Microsoft Digital Defense Report 2024 documents the rise of HTML attachment-based attacks specifically because they sidestep URL-centric detection pipelines.
The attachment contained one large base64-encoded JPEG blob (over 13,000 characters of encoded data) rendered inline via a data:image/jpeg;base64 URI. This technique eliminates the need for any external image hosting. The organization's logo, branding elements, and visual invoice layout were all self-contained within the file.
A POST form element named priform was present in the HTML structure with no action attribute and no input fields populated at delivery time. This is consistent with ERP template scaffolding that could be activated client-side through JavaScript after rendering. The automated attachment scan returned a "clean" verdict because at rest, the file contains no executable payload or populated form submission target.
Authentication Laundering Through a Legitimate Domain
The sender address used the domain industry[.]org[.]il, which WHOIS records confirm is the official domain for a major Israeli manufacturers' association. The domain has been registered through the Israel Internet Association (ISOC-IL) with established nameservers and publicly listed contacts. This is not a typosquatted lookalike or a freshly registered throwaway domain.
The message routed through Microsoft Outlook infrastructure across European datacenters (PAXP193MB1869 through PA4PR04MB9440 via outbound.protection.outlook.com). The SPF record validated against Microsoft's sending IP. The DKIM signature verified with selector selector1 on the industry[.]org[.]il domain. DMARC returned a pass, though the domain's policy was set to p=none, meaning even a failure would not result in rejection.
According to the FBI IC3 2024 Internet Crime Report, business email compromise and investment fraud accounted for the highest financial losses among all reported cybercrime categories, with BEC alone exceeding $2.9 billion. Authentication laundering through compromised accounts at legitimate organizations is a primary enabler. The Verizon 2024 DBIR found that stolen credentials remain the top action variety in breaches, and compromised email accounts at trusted organizations are the natural downstream consequence.
The attack maps to MITRE ATT&CK T1566.001 (Phishing: Spearphishing Attachment) for the HTML file delivery, T1036.005 (Masquerading: Match Legitimate Name or Location) for the ERP invoice impersonation, and T1027 (Obfuscated Files or Information) for the base64-encoded embedded content.
See Your Risk: Calculate how many threats your SEG is missing
What Behavioral Detection Caught That Authentication Missed
The sending account had no prior relationship with the recipient organization. This was a first-time sender delivering a payment request to an invoice processing mailbox, a pattern that authentication headers cannot evaluate but behavioral analysis flags immediately.
IRONSCALES Adaptive AI flagged the message at 83% confidence based on the combination of first-time sender to a financial function mailbox, payment request with embedded bank details, HTML attachment with evasion characteristics, and the absence of any prior sender-recipient communication history. Four affected mailboxes were quarantined and reverted before any payment action could be taken.
The HTML attachment also loaded external fonts and images from wbf[.]fbc[.]co[.]il, a third-party infrastructure domain registered through LiveDNS with Cloudflare nameservers. While these resources appeared to be benign static assets (web fonts and icons for the ERP template), every external fetch leaks the recipient's IP address, user agent, and rendering timestamp to the hosting server. For an attacker performing reconnaissance or validating active mailboxes, that metadata is valuable even if the primary payload is the bank transfer request itself.
The IBM Cost of a Data Breach Report 2024 found the global average cost of a data breach reached $4.88 million, with phishing as the most common initial attack vector. CISA's phishing guidance recommends verifying unexpected payment requests through a separate channel, but that guidance assumes the recipient recognizes the request as unexpected. When the sender domain is legitimate, the authentication is clean, and the invoice template matches a known ERP platform, the "unexpected" signal vanishes.
Observed Indicators: Localhost HTML Invoice
| Type | Indicator | Context |
|---|
| Sender Domain | industry[.]org[.]il | Legitimate Israeli industry association domain (possible compromised account) |
| Sender Address | michalg@industry[.]org[.]il | First-time sender to recipient organization |
| Recipient Target | Invoice processing mailbox | Financial function targeting |
| Attachment | Order confirmation HTM file (37,734 bytes) | Priority ERP v21.0 generated HTML |
| Attachment Hash | a2e3b20a63a83f602102fea70dc705cc | MD5 hash of HTML attachment |
| Localhost Reference | hxxp://127[.]0[.]0[.]1 | Self-rendering origin in HTML comment |
| External Asset Host | wbf[.]fbc[.]co[.]il | Third-party font and image hosting (LiveDNS/Cloudflare) |
| Authentication | SPF pass, DKIM pass, DMARC pass (p=none) | Full authentication with compauth=pass reason=100 |
| Form Element | POST form "priform" with empty action | ERP template scaffolding, no active input fields at delivery |
| SCL | 1 | Microsoft Spam Confidence Level (low) |
| Language | Hebrew (he-IL) | Content-Language header value |
MITRE ATT&CK Techniques
| Technique | ID | Relevance |
|---|
| Phishing: Spearphishing Attachment | T1566.001 | HTML attachment delivered ERP-themed invoice with bank details |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Attachment mimicked genuine Priority ERP order confirmation format |
| Obfuscated Files or Information | T1027 | Base64-encoded image blobs and localhost rendering bypassed content inspection |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 30,000+ security professionals. Each post breaks down one attack — what it looked like, why it worked, and what you can do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
