TL;DR A natural gas invoice email from MVM Next, a legitimate Hungarian energy utility, passed SPF, DKIM, and DMARC with compauth=100. The attached PDF was digitally signed with valid ETSI.CAdES credentials and cleared every automated scanner. Deep binary analysis found MZ (Windows PE executable) signatures at two specific offsets inside the PDF stream, anomalies that no invoice document should contain. The attack leveraged fully authenticated, legitimate infrastructure, leaving behavioral AI and community intelligence as the only detection surfaces.
Severity: High Malware Scanner Evasion Legitimate Infrastructure Abuse MITRE: T1566.001 MITRE: T1036.005 MITRE: T1204.002
A natural gas invoice for 416,946 Hungarian forints. A digitally signed PDF from a recognized energy utility. SPF pass, DKIM pass, DMARC pass, composite authentication score of 100. Every automated scanner in the delivery chain returned a clean verdict on the attachment. Then deep binary analysis found MZ byte signatures at two distinct offsets inside the PDF, the markers that begin every Windows PE executable.
This email was not spoofed. It was sent from ugyfelszolgalat@online[.]mvmnext[.]hu, a customer service address belonging to MVM Next, one of Hungary's largest energy providers. The message transited through MVM's own mail infrastructure (IP 185[.]43[.]206[.]49) and arrived via Microsoft Exchange Online Protection. The sending system identified itself as SAP NetWeaver 750, consistent with enterprise ERP-generated correspondence.
Legitimate Infrastructure, Legitimate Authentication, Illegitimate Payload
The authentication results read like a compliance checklist:
| Check | Result | Detail |
|---|
| SPF | Pass | 185[.]43[.]206[.]49 authorized for online[.]mvmnext[.]hu |
| DKIM | Pass | Valid signature, header.d=online[.]mvmnext[.]hu |
| DMARC | Pass | Full alignment with sending domain |
| compauth | 100 | Microsoft composite authentication, perfect score |
| SCL | 1 | Minimal spam confidence |
For any secure email gateway relying on authentication as a trust signal, this email was indistinguishable from a real utility bill. That is the entire point. When attackers leverage genuine infrastructure, they inherit the sending domain's full authentication posture. No spoofing required. No newly registered domain to flag. No reputation gap to exploit. The Microsoft Digital Defense Report 2024 documents this trend: threat actors increasingly abuse trusted services and legitimate accounts to bypass authentication-based defenses.
The DMARC policy for online[.]mvmnext[.]hu was set to p=none, meaning even a failed check would not trigger rejection. DNSSEC was absent. These are configuration weaknesses that expand the attack surface, though in this case the authentication genuinely passed because the sending infrastructure was real.
A PDF That Every Scanner Cleared
The attachment, Földgáz_101219926734_2026.04.09.PDF (318 KB, MD5: 4c96dff781fe8962adfb1d177e7e086a, SHA-256: bb8d31ec7c21b37ba00e158d5386ce13fbbca084ea90a716645415284d7c57f7), presented itself as a standard utility invoice. It carried a valid digital signature using Adobe.PPKLite with ETSI.CAdES.detached SubFilter, signed under the name "MVM Next Energiakereskedelmi Zrt." through Hungary's e-Szigno certificate infrastructure. The creation date (2026-04-09) matched the email timestamp.
Automated scanners returned a clean verdict. No JavaScript. No launch actions. No credential-posting URIs. No OpenAction triggers. By every standard check, the file was safe.
Deep binary extraction revealed a different picture. Two /EmbeddedFile entries were identified in the PDF structure, and MZ byte signatures (4D 5A, the magic number that begins every Windows PE executable) appeared at offsets ~0x00031180 and ~0x0003e980. MZ signatures inside an invoice PDF are a significant anomaly. While the signatures could represent fragments within compressed binary data rather than fully formed executables, their presence in a document that should contain nothing but invoice text and a digital signature is a red flag that warrants sandbox detonation and forensic extraction.
This maps directly to MITRE ATT&CK T1036.005 (Masquerading: Match Legitimate Name or Location). The executable content hides inside a file type that recipients expect to receive, in a format that scanners routinely clear. According to the Verizon 2024 Data Breach Investigations Report, the use of malicious attachments in phishing campaigns remains one of the top initial access vectors, with PDF and Office document formats as preferred carriers.
See Your Risk: Calculate how many threats your SEG is missing
Social Engineering Built on Real Invoice Data
The email body was a pixel-perfect reproduction of MVM Next's customer communication template. It was written entirely in Hungarian ("Kedves Ugyfelunk!" / "Dear Customer!"), referenced a specific invoice number (101219926734), contract number (9002933), payment amount (416,946 Ft), and due date (2026-04-24). Wire transfer details included a real bank account number and a secondary payment identifier (gazszamla@mvm[.]hu).
Two call-to-action buttons offered "Befizetem bankkartyaval" (Pay by bank card) and "Tovabb a szlaimhoz" (Go to my invoices), both linking to onlineugyintezes[.]mvmnext[.]hu, which is MVM Next's legitimate online customer portal. The email even included an anti-phishing warning at the bottom, directing recipients to mvmnext[.]hu/Adathalaszat for information on how to identify fraudulent messages. Social media links to MVM's verified Facebook, Instagram, YouTube, and TikTok accounts appeared in the footer.
This layering of real data, real infrastructure, and real brand elements creates what the CISA phishing guidance describes as a high-fidelity impersonation. The recipient sees a familiar template, recognizable payment details, and links that resolve to the expected domain. There is nothing visually suspicious. The payload lives entirely in the attachment.
Why This Case Broke Through Authentication and Scanners
The attack succeeded at every automated checkpoint because it used legitimate infrastructure at every layer. The sending mail server was real. The authentication records were real. The digital signature on the PDF was real. The links in the email body pointed to real portals. The only anomaly was binary content inside the PDF that surface-level scanning could not reach.
The FBI IC3 2024 Annual Report reported over $2.9 billion in adjusted losses from business email compromise and related schemes. Cases like this one, where attackers operate within legitimate infrastructure rather than building their own, represent the hardest class of threats to detect at the gateway layer. The IBM X-Force Threat Intelligence Index 2024 found that abuse of valid accounts and trusted services was the most common initial access method, overtaking traditional exploitation.
Adaptive AI flagged this message through signals that authentication cannot evaluate. The community intelligence network identified similar MVM-branded messages surfacing across multiple organizations, a pattern invisible to any single tenant's security stack. Deep attachment analysis performed binary extraction beyond the standard scan, surfacing the MZ signatures that automated tools missed. The combination of cross-tenant pattern matching, behavioral anomaly detection, and deep content inspection created the detection surface that authentication and scanning could not provide.
For organizations operating in multilingual environments or with European supply chains, utility invoice phishing in local languages is a persistent threat vector. The advanced malware protection gap exposed here is not that scanners failed to run. They ran and returned clean. The gap is that clean verdicts on digitally signed documents from authenticated senders create a false floor of trust that attackers are built to exploit.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sender Domain | online[.]mvmnext[.]hu | Legitimate MVM Next customer service domain |
| Sender Email | ugyfelszolgalat@online[.]mvmnext[.]hu | Customer service address |
| Sending IP | 185[.]43[.]206[.]49 | MVM Next mail infrastructure (CTRY:HU) |
| X-Mailer | SAP NetWeaver 750 | Enterprise ERP mail system |
| Hash (MD5) | 4c96dff781fe8962adfb1d177e7e086a | Invoice PDF with embedded MZ signatures |
| Hash (SHA-256) | bb8d31ec7c21b37ba00e158d5386ce13fbbca084ea90a716645415284d7c57f7 | Invoice PDF with embedded MZ signatures |
| Payment Portal | onlineugyintezes[.]mvmnext[.]hu | Legitimate MVM Next online portal |
MITRE ATT&CK Mapping
| Technique | ID | Relevance |
|---|
| Spearphishing Attachment | T1566.001 | Invoice PDF delivered via email with embedded executable signatures |
| Masquerading: Match Legitimate Name or Location | T1036.005 | PE signatures hidden inside a digitally signed invoice PDF from a legitimate utility |
| User Execution: Malicious File | T1204.002 | Recipient prompted to open PDF and interact with payment workflow |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 30,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
