The Invoice Email With No Text to Scan: Image-Only Payload From a Compromised Account With a Broken ARC Chain

An email with the subject "ACH payment" arrived at the accounts receivable team of a global flavoring company. The sender was at a natural products company. SPF passed. DKIM passed. DMARC passed. Composite authentication returned reason=100. The gateway had no reason to intervene.

The entire message payload was a single PNG image. No text in the body. No links. No macros. No attachments to detonate in a sandbox. Just 63,801 bytes of image data that rendered perfectly for human eyes and returned nothing for text-based scanners.

Full Authentication, Zero Provenance

At the final delivery hop, the email from carlaburbo@a-private-company[.]example passed every authentication check. SPF validated because a-private-company[.]example authorized its mail servers. DKIM passed under the domain's selector2 signing key. DMARC aligned. The SCL score was 1.

But the original authentication results told a different story. Authentication-Results-Original showed dkim=none and dmarc=none. The message had no DKIM signature when it was first created. The ARC chain at i=2 returned cv=fail, meaning the forwarding chain of trust was broken.

What happened between origin and delivery? The M365 infrastructure signed the message on behalf of the sender at the relay hop. The sending account's mail server added DKIM and SPF alignment that the original message never had. This is the signature pattern of a compromised account: the attacker sends through the victim's infrastructure, and the infrastructure vouches for the message automatically.

The Image as the Entire Attack Surface

The attachment, image002.png, was the only content. No URLs meant no link scanning. No document attachments meant no macro analysis or sandbox detonation. The PNG carried no extractable text metadata, so OCR-dependent scanning would need to render and read the image to identify its content.

Most gateways do not apply OCR to every image attachment in real time. The image likely contained payment instructions or account details, rendered as a visual document that a human in accounts receivable would process manually. Put the payload where the machines are not looking.

Cross-Company Invoice Context

The sender CC'd their own company's accounts payable address (ap@a-private-company[.]example), reinforcing the appearance of a legitimate inter-company payment communication. The "ACH payment" subject line targeted the recipient's AR workflow directly. For an AR team accustomed to processing vendor payments, this email matched the expected pattern: a known vendor name, a payment reference, and an attached document.

The sending account was compromised. The person behind the email was not who the authentication said it was.

What Behavioral Detection Identified

Themis, the IRONSCALES Adaptive AI engine, flagged this message at 54% confidence. The first-time sender pattern between these two organizations, the image-only payload with no extractable text, and the discrepancy between original authentication (dkim=none, dmarc=none) and final-hop authentication (full pass) are behavioral signals that surface-level authentication checks miss. One mailbox was quarantined based on these signals.

The gateway saw a fully authenticated message from a real company. The behavioral layer saw a compromised account sending an opaque payload to an AR team it had never contacted before.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping