"Please see attached." Four words, a corporate signature block, and a PDF named to look like a routine business proposal. That was the entire email. No context about what the proposal covered, no reference to a prior conversation, no mention of a project or deadline. Just a directive to open the attachment, dressed in the authentication credentials of a real California industrial services company.
The email arrived from l.puentes@tdi-ca[.]com, a domain registered since 2013 with MX records pointing to Microsoft 365 protection hosts. SPF passed for the sending IP, DKIM validated against ThermalDynamicsInc589.onmicrosoft[.]com, and ARC results confirmed the authentication chain was preserved across relay hops. The message genuinely transited through the domain's authorized Microsoft infrastructure.
The one authentication gap: DMARC was published as p=none. The domain owner was monitoring authentication failures but not enforcing rejection, leaving the door open for anyone who could send from the domain's infrastructure to deliver email without consequence.
The email carried two files:
The PDF filename followed a social engineering lure pattern: company name, document type, and a recent date. For a recipient who works with vendors regularly, a "Proposal" PDF from a known-looking industrial services company is an expected communication. The date stamp adds urgency, suggesting a time-sensitive document that needs review.
Automated triage flagged the PDF with a malicious verdict (hash: d192c6f809d2e3eab44ad97259a411c5). The sandbox environment could not complete full parsing of the file contents, but the ingestion metadata classification was definitive. The combination of a malicious PDF, a four-word context-free body, and a first-time sender from a domain with no DMARC enforcement paints a clear picture.
The From header showed a name and email address with a professional signature block: a street address in Porterville, California (1221 North Main Street, Suite #1), a company phone number, and a logo. The physical address and phone number aligned with publicly verifiable business listings. The signature looked real.
But the sender's name could not be matched to any public employee listing for the company. And the signature contained at least one misspelling ("remanucaturing"), a subtle indicator that the signature block may have been copied imperfectly from legitimate company materials.
This is what vendor account compromise looks like from the recipient's perspective. The domain is real. The infrastructure is legitimate. The authentication passes. The only signals are behavioral: first-time sender, context-free body, unverifiable identity, and a minor typo in the signature.
See Your Risk: Calculate how many threats your SEG is missing
When SPF and DKIM pass, traditional gateways often stop evaluating. The Adaptive AI on the IRONSCALES platform continues the analysis: first-time sender, DMARC p=none, context-free body pattern, and an attachment that triggers malicious classification form a combined risk signal that overrides individual authentication passes. Community intelligence identifies when the same PDF hash or sender domain appears across multiple organizations, catching vendor account compromise campaigns before they scale. Research shows that 67.5 phishing emails per 100 mailboxes per month bypass traditional secure email gateways.
p=quarantine or p=reject. Track vendor DMARC posture as part of supply chain risk management.d192c6f809d2e3eab44ad97259a411c5 should be blocked across all endpoints.| Indicator | Type | Context |
|---|---|---|
l.puentes@tdi-ca[.]com | Sender, unverified identity | |
tdi-ca[.]com | Domain | Sending domain, DMARC p=none |
ThermalDynamicsInc589.onmicrosoft[.]com | Domain | DKIM signing domain |
thermaldynamics[.]co | Domain | Linked in signature |
d192c6f809d2e3eab44ad97259a411c5 | Hash (MD5) | Malicious PDF |
Thermal - Proposal 02.05.26.pdf | Filename | Malicious attachment |
d786b884668e622451e84e7a65120869 | Hash (MD5) | Logo PNG (clean) |
| Attack | What happened |
|---|---|
| A Municipal Payment Request With Perfect Authentication, Real Permit Details, and Zero Red Flags for Scanners | A municipal permit payment request passed SPF, DKIM, and DMARC with a perfect compauth score of 100. |
| SPF and DMARC Passed, DKIM Failed: How a One-Word Email Body and a Clean PDF Almost Delivered a BEC Payday | A purchase order email passed SPF and DMARC but failed DKIM, a mixed authentication signal that suggests in-transit message modification. |
| Purchase Order PDF With Embedded Image Bypasses Static Analysis From Authenticated Sender | A fully authenticated email from an Indian manufacturing domain delivers a three-page PDF purchase order generated by SAP NetWeaver. |
| A .docx With a Secret: How Attackers Hid an Executable Inside an Image to Bypass Every Scanner | A spoofed HR bonus announcement carried a .docx attachment with an executable embedded inside a PNG image resource. |
| A School Email That Passed Authentication Twice, Then Changed: Post-Signing Content Injection via Compromised .sch.uk Domain | A message from a legitimate UK school domain passed DKIM and SPF at the first hop. |