TL;DR An external, first-time Outlook.com sender forwarded an academic-themed message to higher-education staff. The actual content rode inside an attached .eml file, while the visible body carried only unresolved aka.ms short links labeled 'Outlook for Android.' SPF, DKIM, DMARC, and ARC all passed. Three mailboxes were quarantined after Phishing SOC Agent analysis identified the nested-attachment structure and link ambiguity as high-confidence phishing indicators - proof that the outer-message-only scan model breaks down against layered delivery.
Severity: High Phishing Attachment-Evasion Url-Obfuscation Scanner-Evasion MITRE: {'id': 'T1566.001', 'name': 'Phishing: Spearphishing Attachment'} MITRE: {'id': 'T1566', 'name': 'Phishing'} MITRE: {'id': 'T1027', 'name': 'Obfuscated Files or Information'} MITRE: {'id': 'T1204.002', 'name': 'User Execution: Malicious File'}
The email looked like a routine forwarded calendar notice - an academic program clarification session at a Chinese university, forwarded to a staff member in international recruitment at a higher-education institution. The outer message body was almost empty: a single Chinese-language line reading "Get Outlook for Android" followed by a hyperlink, and a standard external-sender caution banner. Nothing overtly alarming.
The payload was one layer deeper.
Attached to the message was a .eml file - an email attached to an email - carrying the actual content of the purported academic session invite. And every link in sight, both in the outer body and inside that nested attachment, resolved through Microsoft's own aka[.]ms URL shortener: a trusted domain whose reputation shields redirect destinations from scrutiny. Any scanner inspecting only the outer message body saw a nearly empty note with what looked like Microsoft-branded mobile app links. Nothing to block.
IRONSCALES Phishing SOC Agent analysis caught what inline scanners missed.
The Two-Layer Delivery Model
Standard email security operates on the outer message envelope and body. Links get checked, attachments get hashed, content gets scored. That pipeline works when the threat lives at the surface.
This attack placed the threat one layer down. The outer message was a minimal forwarding shell. The actual content - an .eml file named after an overseas teaching center clarification session at Chengdu University of Technology - was attached as an application/octet-stream, the generic binary content type that many scanners treat as an opaque blob rather than a parseable email object.
When sandbox analysis attempted to recursively parse the nested .eml, the file was not accessible in the automated environment. The attachment verdict came back "clean" not because the content was inspected and cleared, but because it could not be inspected at all. That distinction matters: a scan that cannot complete is not the same as a scan that passed.
The MITRE ATT&CK T1566.001 (Spearphishing Attachment) technique describes exactly this delivery model: using an attached file to carry a phishing payload that the outer-layer inspection never reaches. Nesting the payload inside a second .eml adds a recursive dimension that most automated parsers do not handle by default.
aka.ms as a Trust Laundry
Three links appeared across the incident, all labeled "Outlook for Android":
| Link (defanged) | Destination |
|---|
hxxps://aka[.]ms/AAb9ysg | Unresolved |
hxxps://aka[.]ms/krs?id=lxDNVZKK | Redirect to hxxps://krs.microsoft[.]com/redirect?id=lxDNVZKK |
hxxps://krs.microsoft[.]com/redirect?id=lxDNVZKK | Unresolved final destination |
aka.ms is the official Microsoft URL shortener, used legitimately for product documentation, Azure portal deep links, and mobile app download flows. Its domain has built-in reputation trust across every major email security vendor. A link that begins aka.ms/ is not inherently malicious - and that is precisely why attackers use it.
The final destinations of aka[.]ms/AAb9ysg and the krs.microsoft[.]com chain were unresolved at analysis time. Reputation scoring on a short link answers the question "do we trust the shortener?" - not "where does this link actually go?" That is the evasion. The Microsoft Digital Defense Report notes that attackers increasingly abuse legitimate Microsoft infrastructure to launder link reputation, precisely because the domain trust is so broadly established.
See Your Risk: Calculate how many threats your SEG is missing
Sender Signals That Authentication Cannot See
The message passed every email authentication check: SPF, DKIM, DMARC, and ARC all verified. The sending infrastructure was legitimate Microsoft Exchange Online outbound relays. From an authentication standpoint, the message was indistinguishable from any other Outlook.com-originated email.
Authentication tells you the message transited the infrastructure it claimed to transit. It says nothing about intent.
The behavioral signals pointed the other direction. The sender - an external Outlook.com account with a Chinese-language display name - had never previously contacted the organization's domain. No prior sender-to-recipient or sender-to-organization correspondence existed. The message Accept-Language and Content-Language headers were both set to zh-CN, a geographic and linguistic mismatch for an institution whose operational language is English. The subject line was in Chinese, framing an academic event at a Chinese university, forwarded to a staff member whose role was international student recruitment from China. The targeting was deliberate.
The Verizon DBIR notes that phishing remains the dominant initial access vector across industries, with educational institutions consistently over-represented as targets due to the volume of external academic correspondence that flows through institutional inboxes - exactly the cover this attack exploited.
Multi-Recipient Quarantine and the Community Signal
Three mailboxes were quarantined across the incident. The primary recipient received the forwarded message; a second staff member subsequently received reply-chain variants on the same subject the following day - suggesting the attacker or a compromised relay attempted to extend the thread to additional targets at the organization.
Themis, IRONSCALES' Adaptive AI, flagged the incident with community-sourced confidence: similar incidents resolved as phishing had been seen across the IRONSCALES community, and that pattern-match fed directly into the detection. The multi-recipient quarantine happened within seconds of delivery for the first mailbox - 4 seconds from receipt to mitigation - and within 13 seconds for subsequent deliveries.
That speed matters. Credential harvesting pages embedded in nested .eml files rely on a recipient opening the attachment before quarantine can act. The attack assumes a window of opportunity between delivery and detection. Collapsing that window is the primary defensive lever.
What Defenders Should Watch For
Nested .eml attachments are not inherently malicious - legitimate email forwarding workflows produce them. But the combination of signals present here forms a high-fidelity detection pattern:
- A first-time external sender on a free email service
- Minimal outer body with all visible links routed through a URL shortener on a trusted domain
- An
.eml attachment whose content cannot be recursively parsed by inline scanners
- Geographic or linguistic mismatch between sender metadata and recipient organization
- Multi-recipient targeting on a themed lure that matches the recipient's role
The FBI IC3 Annual Report documents continued growth in business email compromise and phishing losses, with education-sector organizations increasingly targeted. The IRONSCALES Advanced Malware and URL Protection capability addresses exactly this gap: recursive attachment parsing, short-link resolution that follows redirect chains to their final destinations, and behavioral anomaly detection that operates on sender history rather than authentication state alone.
The outer envelope of this message had nothing to catch. Catching it required looking at what the envelope was carrying - and at who was carrying it.
---
Indicators of Compromise
| Type | Indicator (defanged) | Notes |
|---|
| Sender email | Winni830[at]outlook[.]com | External, first-time sender; high risk |
| Short link | hxxps://aka[.]ms/AAb9ysg | Unresolved final destination; labeled "Outlook for Android" |
| Short link | hxxps://aka[.]ms/krs?id=lxDNVZKK | Chains to krs.microsoft.com redirect |
| Redirect | hxxps://krs.microsoft[.]com/redirect?id=lxDNVZKK | Unresolved final destination |
| Attachment hash | 06279181a3e99f7b41a4897f31d3e35a | Nested .eml; application/octet-stream; 27,103 bytes |
| Subject (outer) | 转发: Overseas Teaching Centre Clarification Session - Chengdu University of Technology-GDBA | Chinese-language forward; academic lure |
---
MITRE ATT&CK Techniques
| ID | Name |
|---|
| T1566 | Phishing |
| T1566.001 | Phishing: Spearphishing Attachment |
| T1027 | Obfuscated Files or Information |
| T1204.002 | User Execution: Malicious File |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
