Nested RFC822 Attachment with No DKIM or DMARC Signals Thread Hijack via Internal Routing

What Happened

An email arrived from outcomes[.]com, a domain registered in 1995. The message carried a nested RFC822 attachment: a complete email message embedded as a file within the outer email. When automated scanners attempted to inspect the attachment, they could not open it. The nested message format created a processing barrier that prevented content extraction and analysis.

The outer email carried no DKIM signature. The sending domain had no DMARC record published. For a domain that has existed for 30 years, the complete absence of modern email authentication is notable. There was no mechanism to verify that the message was genuinely sent by an authorized user of that domain or that the message content had not been modified in transit.

An EXTERNAL sender warning banner was present on the message, indicating the recipient organization's gateway correctly identified the email as originating from outside the organization. However, the email also contained internal routing headers suggesting it was part of an ongoing internal conversation. This contradiction is a hallmark of thread hijacking: the attacker injects themselves into an existing internal thread by replying from an external address.

All links visible in the message body scanned clean across URL scanners. The malicious content, if present, was contained within the nested RFC822 attachment that scanners could not access.

Why It Matters

Nested RFC822 attachments exploit a structural limitation in email scanning pipelines. Most scanners can inspect common attachment types (PDFs, Office documents, images, HTML files) and can follow links to evaluate landing pages. But a message/rfc822 content type contains a complete MIME message with its own header set, body, and potential sub-attachments. Parsing these correctly requires recursive MIME processing, and many gateway scanners either skip them entirely or fail silently.

The absent DKIM and DMARC records mean that any authentication-based filtering is impossible. The domain cannot be validated, the message cannot be integrity-checked, and no policy can be enforced. The 30-year domain age provides enough reputation to avoid age-based blocklisting, creating a scenario where the message carries maximum historical trust with zero verifiable authentication.

The thread hijack signal (EXTERNAL banner plus internal routing) is particularly dangerous because it exploits context trust. Recipients who see a message that appears to continue an internal conversation are far more likely to engage with it, especially if the original thread was a legitimate business discussion.

How IRONSCALES Caught It

Community intelligence across the IRONSCALES network identified the pattern: nested RFC822 attachments from outcomes[.]com reaching multiple unrelated organizations with similar thread-hijack characteristics. While each individual email appeared benign to automated scanners, the cross-tenant distribution pattern was anomalous.

Adaptive AI email security evaluated the combination of missing authentication, unopenable attachment, and EXTERNAL/internal routing contradiction as a high-confidence threat signal, escalating the message before the recipient engaged with the nested content.

See Your Risk. Run a free phishing simulation to find out whether nested attachment attacks would bypass your current scanning pipeline.

Indicators of Compromise

MITRE ATT&CK Mapping