The email subject read "Status report 04-29-26 06:00:02 AM," the kind of auto-generated noise that plant engineers scroll past dozens of times a week. The display name matched a known industrial equipment vendor contact. The attachment was a 16-kilobyte file called sysrpt.htm. And every automated scanner that touched the file returned a clean verdict.
The problem was in the declaration. The attachment's MIME header said text/plain. The actual content was HTML. That single mismatch changed how every security tool in the chain handled the file, and it is the reason this attack reached the inbox of a North American marine propulsion manufacturer.
The visible sender name, "Mercury Plant 12 Engine," matched a known contact in the recipient's environment, a vendor contact normally associated with a different email address at a US water services company. But this message came from 12engine[at]watertreatmentequip[.]com, a domain with no prior relationship to the recipient organization.
SPF passed. The sending infrastructure was authorized for watertreatmentequip[.]com. But DKIM told a different story. The cryptographic signature was issued by aquaphoenix[.]onmicrosoft[.]com, a Microsoft 365 tenant that matched neither the From domain nor the display name's expected origin. This is a DKIM alignment gap: the proof of authenticity applied to a tenant that the recipient never sees in the message headers.
DMARC returned bestguesspass, which means watertreatmentequip[.]com has no published DMARC policy. Without an explicit policy, the receiving mail server took its best guess based on available signals and let the message through. According to the Microsoft Digital Defense Report 2024, domains without enforced DMARC policies remain one of the most exploited gaps in email authentication, enabling both direct spoofing and alignment abuse.
The relay chain added a fourth layer. The message transited through con01[.]esrmx01[.]com (IP 52[.]202[.]91[.]228), an AWS-hosted relay with no association to any recognized email security gateway. Legitimate mail from industrial vendors typically routes through Microsoft, Google, or a named security appliance. An unknown third-party relay in the chain is a signal that something in the delivery path does not belong.
The attachment sysrpt.htm had a .htm extension but was declared in the email's MIME headers as text/plain. When an email gateway encounters a text/plain attachment, it applies text-based scanning rules. It does not render the file as HTML, does not execute embedded scripts, does not evaluate DOM structure, and does not look for form elements or credential harvesting patterns.
The actual file content was HTML. Static analysis confirmed the MIME mismatch: text/plain declared, text/html detected. But the file itself contained no