A Malicious Payroll PDF Rode In on a Compromised Legitimate Sender

The sender domain had a real website, a real mail server, and a clean reputation. The malicious payload hiding in a payroll PDF attachment did not care.

What the Attack Looked Like

The email subject referenced a staff pay increment procedure. That framing alone is enough to pull recipients into the message: payroll changes affect everyone, the information feels relevant, and the HR context signals authority. The body contained minimal text. The visible message was dominated by a system-generated external-sender warning banner, meaning there was no suspicious body copy to scrutinize.

The single attachment was named Salary Increment Update for Payroll.pdf. The filename follows the subject-line lure precisely, reinforcing the expectation that opening it is the correct next step. A sandbox and attachment scanning environment returned a malicious verdict for the file. MD5: 3f0095b55ca1bd458cbcd443e552007e.

The message originated from a small-business mail server with a PTR record that matched the sending domain, a signal that the sending infrastructure was properly configured and belonged to an established organization. SPF passed: the outbound IP was listed in the sending domain's authorized sender record. DKIM failed, which indicated either misconfiguration in the sending domain's signing setup or message modification after signing. DMARC passed via SPF alignment, so the composite authentication result was a pass.

The sender was a first-time contact to the recipient mailbox.

Why It Bypassed Defenses

Reputation inheritance is the core mechanism here. When an attacker compromises a legitimate mail server and sends through it, every reputation signal tied to that domain works in the attacker's favor. The sending IP resolves to the victim organization's own infrastructure. SPF passes because the IP is genuinely authorized. DMARC passes because SPF alignment is sufficient. Blocklists have no entry for a domain that has never sent malicious mail before.

Defenders' tools were looking at the right things. The signals they evaluated (IP authorization, domain age, authentication results, sender history) were all clean because the attacker borrowed the victim's identity rather than fabricating one. The only layer that caught the attack was the attachment scanner's behavioral analysis of the PDF itself.

DKIM failure was the one authentication anomaly, but a failing DKIM result alone is insufficient to quarantine. Legitimate mail frequently fails DKIM due to gateway rewriting or signing configuration issues. A policy that quarantines on DKIM failure alone would generate substantial false positives.

Our Adaptive AI evaluated the full picture: first-time sender, payroll-themed subject with no supporting body text, and a PDF attachment bearing a filename that matched the social-engineering lure precisely. The behavioral incongruence between the empty body and the high-action attachment was a meaningful signal.

See Your Risk: Calculate how many threats your SEG is missing

How It Was Caught

The attachment scanner returned the malicious verdict that triggered triage. Header analysis confirmed the authentication chain: SPF pass, DKIM fail, DMARC pass via SPF alignment. The relay path was traced back to an authorized host belonging to a legitimate small-business domain, consistent with a compromised sender scenario rather than a simple From-header spoof. The attachment hash was preserved for multi-engine scanning and endpoint indicator distribution. The victim organization was notified to investigate a potential account or server compromise.

Defender Takeaways

Authentication pass plus clean sender reputation does not equal safe attachment. SPF and DMARC are delivery-path checks. They confirm that a message came from an authorized host for the stated domain. They cannot detect that the domain's mail server was compromised and is now being used to deliver malicious content. Attachment behavioral analysis is a separate, mandatory layer.

Compromised-sender delivery is particularly effective against reputation-gated systems. Secure email gateways that apply sender reputation scoring will score this message favorably. The only reliable catch is content-layer inspection. Sandboxing PDFs is not optional when the message combines a first-time sender, an HR-payroll lure, and an attached document. Social engineering lures that exploit organizational processes (payroll, HR, benefits) are documented at MITRE ATT&CK T1566 as a consistent delivery mechanism for malware campaigns.

DKIM failure is a weak quarantine signal but a useful triage flag. A failing DKIM on a first-time sender with a suspicious lure and an attached file should raise the overall risk score even if it does not independently justify quarantine. Build rules that weight DKIM failure in combination with attachment presence and first-time sender status.

Notify the victim organization. When a compromised-legitimate sender delivers malicious content, the sending organization is a victim. Responsible disclosure, sharing the message headers and attachment hash with the sending domain's security contact, helps them investigate the breach and protect other potential targets receiving the same campaign. Phishing campaigns running through compromised legitimate infrastructure often target multiple organizations simultaneously.

---

Indicators of Compromise