TL;DR An email from a McLarens billing address arrived with full SPF, DKIM, and DMARC authentication (DMARC policy p=reject) via Proofpoint's gateway infrastructure. It carried two PDF attachments: one marked VOID and one presenting a revised invoice with explicit wire transfer instructions including routing numbers, account numbers, and bank references. Both PDFs were fillable AcroForm/XFA templates that scanned clean for malware. The void-and-rebill narrative, combined with first-time sender status and embedded banking details, makes this a high-risk invoice-redirection fraud attempt.
Severity: Critical Invoice-Fraud Vendor-Email-Compromise MITRE: T1566.001 MITRE: T1534
The subject line read "Void Rebill." The sender was voidrebill[@]Mclarens[.]com, a purpose-built address whose display name, "McLarens Void Rebill," described exactly what the email claimed to do: cancel a previous invoice and replace it with a corrected one. Two PDF attachments were included. One was marked VOID. The other carried a revised invoice number with explicit wire transfer instructions.
SPF passed. DKIM passed for mclarens.com. DMARC passed with a policy of p=reject, the strictest available DMARC configuration. The message traversed Proofpoint's cloud email gateway (mx08-00591501.pphosted.com, IP 185[.]183[.]31[.]187) and Microsoft's front-end protection before landing in the recipient's mailbox at an insurance and claims adjusting organization. Every authentication check said this email came from McLarens' authorized infrastructure.
This was a first-time sender. The recipient had no prior correspondence with this address.
Fillable Invoices as Fraud Instruments
Both attached PDFs were generated by Adobe LiveCycle Designer 11.0 and used AcroForm/XFA form structures. The VOID file (VOID 025.022180.0.1 90301889 SAC100.pdf) presented a canceled invoice. The active file (025.022180.0.1 90318841 SAC100.pdf) contained the replacement invoice with complete payment instructions: routing number, account number, wire transfer details referencing a specific bank, and remit-to email addresses including ARRemittance[@]mclarens[.]com.
Neither PDF contained JavaScript, URI actions, OpenAction triggers, or embedded submit endpoints. Both scanned clean for malware. The files were not weaponized in the traditional sense. The payload was the payment instructions themselves.
This is the defining characteristic of invoice-redirection fraud. The attacker does not need to deliver malware or harvest credentials. They need the victim to process a wire transfer to an account the attacker controls. The voided invoice creates plausible cover: "We sent the wrong amount last time, here is the corrected version." Finance teams that process the revised invoice without out-of-band verification send money to the wrong account.
The void-and-rebill pattern is particularly effective because it mirrors a real business workflow. Invoice corrections happen. Vendors do send revised billing. The social-engineering leverage comes from the assumption that a correction from a known brand, especially one that passes authentication and arrives through a reputable gateway, does not require the same verification as a new vendor request.
McLarens is a global claims management and adjusting firm. An email from McLarens to an insurance organization is a contextually appropriate communication. The attacker either chose the impersonation deliberately based on the target's industry, or compromised a legitimate McLarens account to send the message. The DMARC p=reject posture means that spoofed messages would normally be rejected, which raises the likelihood that the sending account itself was compromised rather than the domain being spoofed.
See Your Risk: Calculate how many threats your SEG is missing
This attack maps to MITRE ATT&CK T1566.001 (Phishing: Spearphishing Attachment) for the PDF-based delivery, and T1534 (Internal Spearphishing) for the use of a potentially compromised legitimate account to establish trust.
What Behavioral Analysis Sees That Authentication Cannot
Authentication answered one question correctly: this email was sent through infrastructure authorized by mclarens.com. It could not answer whether the person sending it was authorized to request a payment change, whether the wire details in the PDF were legitimate, or whether the void-and-rebill narrative was genuine.
Themis, our Adaptive AI, flagged the message based on behavioral indicators that sit outside the authentication layer. A first-time sender requesting a payment change is a high-risk combination regardless of authentication status. The presence of wire transfer details in fillable PDF form fields, paired with a display name that literally describes the invoice-redirection workflow ("Void Rebill"), elevated the composite risk score.
Community intelligence across the platform identified similar patterns from McLarens-branded senders targeting insurance-adjacent organizations during this period. The cross-tenant signal helped distinguish this from a legitimate McLarens billing communication.
Research shows that 67.5 phishing emails per 100 mailboxes per month bypass traditional secure email gateways. Invoice fraud with fully authenticated delivery and clean attachments is among the hardest categories for content-based filters to catch because every technical signal points to legitimacy.
Protecting Against Authenticated Invoice Fraud
When the attacker has access to a legitimate sending account, the traditional defense model collapses. Authentication cannot protect you when the authenticated sender is the threat. Finance teams and accounts payable workflows need process-level controls:
- Require out-of-band verification for all wire instruction changes. Call the vendor at a known phone number. Do not use contact information from the email itself.
- Flag first-time sender payment requests. Any invoice from an address that has not previously corresponded with the organization should trigger additional verification, regardless of brand familiarity.
- Treat void-and-rebill language as a signal. Subject lines and body text that ask recipients to disregard previous invoices should be escalated for manual review.
- Separate invoice receipt from payment processing. The person who receives an invoice should not be the same person who approves the wire transfer without an independent verification step.
IOC Table
| Indicator | Type | Context |
|---|
voidrebill[@]Mclarens[.]com | Email (From/Return-Path) | Sender address, display name "McLarens Void Rebill" |
mclarens[.]com | Domain | Sender domain, DMARC p=reject, SPF/DKIM/DMARC pass |
185[.]183[.]31[.]187 | IP | Sending IP via Proofpoint gateway |
mx08-00591501.pphosted.com | Hostname | Proofpoint inbound MX relay |
ARRemittance[@]mclarens[.]com | Email (embedded in PDF) | Remit-to address in invoice attachment |
VOID 025.022180.0.1 90301889 SAC100.pdf | Filename | Voided invoice PDF, AcroForm/XFA |
025.022180.0.1 90318841 SAC100.pdf | Filename | Active invoice PDF with wire instructions |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
