Proposal_02_10_2026.pdf, MD5 4c69e9983c51ce8a72ada477993016ec) was delivered via a compromised logistics-company mail domain with SPF pass, DMARC pass, and compauth pass. The email body was a one-liner 'Please see attached' with a corporate signature. Gateway content filters passed the file. Sandbox detonation returned a malicious verdict and multiple recipient mailboxes were quarantined.# Sandbox-Confirmed Malicious PDF Delivered via Compromised Logistics Domain With Passing Authentication
An email with a one-line body and a PDF attachment called Proposal_02_10_2026.pdf landed in multiple mailboxes with clean authentication results across SPF, DMARC, and composite auth. The email looked like routine business outreach. The gateway content filter passed it. A sandbox detonation run post-delivery returned a malicious verdict and triggered quarantine across all affected mailboxes. The sending domain was a compromised mail account at a legitimate logistics company, not an attacker-registered lookalike.
The message originated from infrastructure associated with a compromised logistics-company mail domain. The sending IP (18[.]219[.]19[.]207, PTR: st2[.]dynedge[.]com, geolocation: Columbus, US) aligned with the domain's DNS nameservers and SPF authorization. Authentication results: SPF pass, DMARC pass, compauth pass. The domain was first registered in 2002, giving it over two decades of reputation history.
The email body was minimal: a polite "Please see attached" with a standard corporate signature. No urgency, no unusual requests, no overt social-engineering pressure. The sender was a first-time contact to the recipient organization, which alone is a risk signal many gateways do not weight heavily enough when authentication is clean.
The attachment, Proposal_02_10_2026.pdf (MD5: 4c69e9983c51ce8a72ada477993016ec), was 120,451 bytes. The filename is intentionally vague, designed to be plausible for an unsolicited business pitch. No links in the message body were flagged as suspicious.
The attack exploited the trust that gateway tools extend to long-established, fully authenticated domains. When SPF, DMARC, and compauth all pass, many gateways reduce or bypass additional scrutiny of attachment content. A domain registered in 2002 with stable DNS does not look like an attacker-registered throwaway, because it isn't. It is a compromised legitimate account, which is a fundamentally harder detection problem.
Gateway content filters that rely on static signatures or lightweight scanning may not catch a malicious PDF that uses obfuscated or novel payload delivery mechanisms. Signature-based detection works against known malware families. A freshly compiled or obfuscated PDF payload with no prior signature coverage will pass those checks. The file's sandbox-malicious verdict came only from dynamic detonation, which executes the file in a controlled environment and observes behavior.
The minimal body text removed any text-based signals. There was no financial request, no link to a credential-harvesting page, no urgency language. The entire payload risk resided in the attachment. Without sandbox detonation, this email offered no surface for conventional phishing content-filter heuristics to act on.
See Your Risk: Calculate how many threats your SEG is missing
The IRONSCALES platform submitted the attachment to a sandbox detonation environment. The PDF returned a malicious verdict. Multiple recipient mailboxes were quarantined in response. The first-time-sender flag and high sender risk score were supporting signals, but the definitive trigger was the sandbox outcome on the attachment itself.
This is a post-delivery detection: the email had already reached inboxes before the malicious verdict was confirmed. Multi-mailbox quarantine removed the file from all affected accounts. Security teams should treat the window between delivery and quarantine as a potential exposure window and conduct endpoint checks on recipients who received the message, particularly any who may have opened it before the quarantine action completed.
Authenticated senders from long-established domains can be compromised. Treat first-time senders with unsolicited attachments as elevated risk regardless of authentication posture.
Gateway detonation for PDF files is not universal, and coverage varies by product and configuration. Ensure your environment is running sandbox detonation on PDF attachments from first-time senders, even when authentication checks pass. The goal of social engineering attacks delivered via compromised accounts is to inherit the sending domain's trust reputation. Your detection layer must not extend that trust to the attachment payload without independent verification.
Post-quarantine endpoint checks are not optional. Multi-mailbox quarantine tells you the files were removed, not whether any were opened beforehand. Search EDR telemetry for the attachment hash and filename before closing the incident.
| Type | Indicator | Notes |
|---|---|---|
| Attachment filename | Proposal_02_10_2026.pdf | Malicious PDF; vague lure filename |
| Attachment hash (MD5) | 4c69e9983c51ce8a72ada477993016ec | Sandbox-confirmed malicious verdict |
| Sending IP | 18[.]219[.]19[.]207 | PTR: st2[.]dynedge[.]com; Columbus, US; SPF-authorized for sending domain |
| Authentication | SPF=pass, DMARC=pass, compauth=pass | Sending domain long-established; account likely compromised |
| Sender profile | First-time sender to recipient org | Elevated risk signal regardless of authentication |
| MITRE | T1566.001 | Spearphishing Attachment |
| MITRE | T1566 | Phishing |
| Attack | What happened |
|---|---|
| The Spreadsheet That Arrived Twice: CR/LF Filename Obfuscation and a Base64 Shadow Payload | A clinical data report arrived as a .xlsx with CR/LF control characters in the filename and a companion .b64 base64 payload. |
| The PDF That Passed Every Scan Without Being Read | A PDF attachment with CR/LF control characters injected into its filename caused automated file analyzers to return a clean verdict on a zero-byte... |
| Sign Here, Get Phished: Inside an Adobe Sign Lure With a Multi-Hop Redirect to Credential Theft | An Adobe Sign e-signature lure routed recipients through a multi-hop redirect chain ending at fameklinik[.]com. |
| When SPF, DKIM, and DMARC All Pass. And the Email Is Still Phishing | A fully authenticated phishing email (SPF pass, DKIM pass, DMARC pass) used a legitimate nonprofit platform to deliver credential-harvesting links with... |
| The Azure Alert That Billed You $459: When Microsoft's Own Infrastructure Delivers the Phish | A phishing campaign used Azure's own notification system to send fraudulent billing alerts from Microsoft's authenticated infrastructure. |