The subject line read "2026 Staff Pay Increment Procedure." The sender name and domain looked like a legitimate commercial business. SPF passed. DMARC passed. Microsoft let it through. The email body contained exactly two pieces of visible text: a first-time sender warning and an external email caution banner, both generated by the mail system itself.
Beneath both banners was nothing. No greeting. No message. No instruction. Only a PDF attachment named "Salary Increment Update for Payroll.pdf."
That file was flagged malicious within seconds of delivery.
The sending address, cecildiane.calibara@juliesbakeshop[.]com[.]ph, originated from a Philippines-based commercial domain. The relay IP was 162[.]215[.]222[.]177, resolving to a PTR record of 7003188.juliesbakeshop[.]com[.]ph, which confirmed the message was dispatched from infrastructure associated with the domain. SPF returned a pass because that IP was within the authorized sending range.
DKIM, however, failed. A valid public key exists in DNS for the domain, but the signature on the message did not verify. In a typical configuration, a DKIM failure signals that the message was modified in transit or that the signing key was not applied correctly at send time. Here, it is more likely that the infrastructure used to send the message was either misconfigured or under unauthorized control.
DMARC passed anyway, via SPF alignment. The envelope-from domain matched the header-from domain (juliesbakeshop[.]com[.]ph), satisfying the alignment requirement even without a valid DKIM signature.
Two additional anomalies in the domain's DNS deserve attention. The domain had duplicate SPF TXT records, a configuration error that is not fatal to SPF evaluation but is unusual and can indicate accumulated misconfiguration. The SPF policy itself used ~all (softfail) rather than -all (hardfail), meaning unauthorized senders would be softfailed rather than rejected. This is a weaker posture that reduces the domain's defensive value.
None of this prevented delivery. SPF and DMARC passed. The message landed in the recipient's inbox.
The email body contained no attacker-authored content. Every visible element was a system-generated banner: the first-time sender notification placed by the receiving mail system, and the external email caution header added by the organization's security policy. No links were present except for Microsoft help references embedded in those banners, all pointing to aka.ms URLs confirmed clean.
This is a deliberate design choice. An empty body offers no text-based signals for pattern-matching content filters. There are no keywords, no urgency phrases, no malicious URLs, nothing to trigger a behavioral rule built on message content. The entire payload was externalized into the attachment.
The file name, "Salary Increment Update for Payroll.pdf," was chosen to maximize open rates. Phishing campaigns using payroll lures consistently outperform generic attachment names because recipients expect to receive legitimate HR communications in PDF format and associate the topic with personal financial benefit. A file that promises news about a pay raise is a file that gets opened.
The attachment was 146,786 bytes, larger than a typical one-page document but not suspiciously so for a formatted PDF. The MD5 hash (3f0095b55ca1bd458cbcd443e552007e) matched against threat intelligence sources as a known malicious file.
The specific malicious mechanism inside the PDF was not disclosed in the case data, which is consistent with how these cases are typically surfaced before full forensic analysis. Common techniques at this file size include embedded JavaScript that executes on open, a malicious object stream that exploits a PDF reader vulnerability, or an embedded executable that drops a secondary payload on click. Any of these would be invisible to a perimeter scanner that does not perform deep content inspection on attachments.
See Your Risk: Calculate how many threats your SEG is missing
Themis, the IRONSCALES Adaptive AI engine, flagged this message before any user interaction occurred. The detection surface was entirely behavioral.
The signals were these: a first-time external sender from a domain with duplicate SPF records and a failed DKIM signature; an email body containing zero attacker-authored content; a high-interest HR subject line with no supporting text; and a PDF attachment whose name referenced a financial HR action. No single signal is conclusive. Together, they form a pattern that is statistically rare in legitimate email and common in social engineering campaigns.
Authentication-only security tools saw a clean delivery. SPF passed. DMARC passed. The relay was an authorized IP. There was no malicious URL to detonate. What remained was the behavioral fingerprint: a sender with no prior relationship, a body with no legitimate content, and an attachment designed to exploit employee trust in HR communications.
The most important thing a security team can know about this attack pattern is that the authentication layer is working exactly as designed. SPF and DMARC tell you whether a server is authorized to send for a domain. They do not tell you whether the account using that server has been compromised, whether the domain owner is aware of the outbound message, or whether the attachment contains a threat. Those questions require a different class of analysis.
| Type | Indicator | Context |
|---|---|---|
| Sender Address | cecildiane.calibara@juliesbakeshop[.]com[.]ph | Sending account on compromised or misconfigured infrastructure |
| Sender Domain | juliesbakeshop[.]com[.]ph | Legitimate commercial domain; duplicate SPF records; SPF ~all |
| Sending IP | 162[.]215[.]222[.]177 | Authorized IP per SPF; PTR matches domain |
| PTR Record | 7003188.juliesbakeshop[.]com[.]ph | Resolves to sending IP |
| Attachment Name | Salary Increment Update for Payroll.pdf | Payroll lure filename |
| Attachment Hash (MD5) | 3f0095b55ca1bd458cbcd443e552007e | Flagged malicious by threat intelligence |
| Attachment Size | 146,786 bytes | Consistent with embedded payload PDF |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Attachment | T1566.001 | Malicious PDF delivered as email attachment using HR lure |
| Masquerading | T1036 | Attachment named to mimic legitimate payroll document |
| Valid Accounts | T1078 | Likely compromised sending account used for authenticated delivery |
| Attack | What happened |
|---|---|
| Password-Protected PDFs Are the New Sandbox Killer: How a Compromised .gov Account Delivered an Unopenable Payload | A compromised government education account sent a password-protected PDF with the passcode in the email body, bypassing every automated scanner. |
| The PDF That Passed Every Scan Without Being Read | A PDF attachment with CR/LF control characters injected into its filename caused automated file analyzers to return a clean verdict on a zero-byte... |
| The Spreadsheet That Arrived Twice: CR/LF Filename Obfuscation and a Base64 Shadow Payload | A clinical data report arrived as a .xlsx with CR/LF control characters in the filename and a companion .b64 base64 payload. |
| The Voicemail That Wasn't: How Calendar File Attacks Bypass Email Security | An attacker sent an empty email with a voicemail-themed .ics calendar attachment from a Japanese domain while impersonating a US financial services... |
| Mimecast SafeLinks Phishing: Wrapped URLs Hide Lookalike Domains | Attackers routed a credential-harvesting link through Mimecast SafeLinks so the recipient saw a Mimecast-rewritten URL. |