Empty Email, Nested Impersonation, Embedded QR: Three Evasion Layers in a Single Delivery

The email body was blank. No greeting, no context, no links. Just a subject line referencing a property contract and a single attachment: an .eml file containing another email entirely. Inside that nested message, the From header read accounting@ followed by the recipient's own banking domain. And embedded in the HTML body of that inner message was a QR code image, delivered as a CID inline attachment, containing a payload that no link scanner in the delivery chain could see.

This is a three-layer evasion design. Each layer solves a different defensive problem for the attacker, and together they create a detection gap that only behavioral analysis can close.

An Empty Shell Wrapping a Weaponized Impersonation

The outer email arrived from noreply@elferschmiede[.]de, a German domain, via Amazon SES infrastructure in the EU-West-1 region. The subject line referenced a specific property contract with a long hexadecimal identifier. Priority headers were set to maximum: X-Priority: 1 (Highest), Importance: High. The body? Completely empty.

That emptiness is deliberate. An empty body forces the recipient to engage with the attachment to understand the email's purpose. There is nothing to scan, nothing to flag, nothing to evaluate. The social engineering happens at the content level of the nested message, one layer removed from where most scanning engines operate.

The attachment, a 35KB message/rfc822 file, contained a second email with its own headers, HTML body, and inline images. The nested From header impersonated the recipient organization's accounting department. The subject line referenced a specific employee by name and a contract requiring confirmation. For a recipient at a financial institution, an email appearing to come from their own accounting team about an executed contract carries immediate credibility.

This is masquerading at the header level. The nested message's From field is not validated by the outer email's authentication results. It exists inside the attachment payload, beyond the reach of SPF, DKIM, or DMARC evaluation.

The QR Code That No Scanner Could Read

Inside the nested message's HTML body, a single image reference pointed to cid:qrcodeCid, an inline Content-ID attachment. The actual file was qrcode.png, a 7.9KB image embedded directly in the .eml structure.

This is quishing with an extra evasion step. Standard QR code phishing emails embed the image directly in the outer message body, where image-aware scanners can at least attempt QR decoding. This attack buried the QR image inside a nested attachment. Link scanners found zero URLs in the outer email (because there were none). The nested message contained no standard href links either. The entire malicious payload existed as pixels in an image file, referenced by CID, inside an attached email.

The FBI IC3 2024 Annual Report documented phishing as the most reported cybercrime category, and QR code variants represent a growing share of that volume. The Microsoft Digital Defense Report 2024 specifically highlighted the rise of QR-based credential harvesting campaigns. This case shows why the trend persists: when the payload is an image inside an attachment inside an email, the scanning surface area shrinks to nearly zero.

See Your Risk: Calculate how many threats your SEG is missing

Authentication That Passed, Then Broke, Then Didn't Matter

The original sending hop through Amazon SES (54[.]240[.]7[.]11) produced clean authentication results. SPF passed for eu-west-1.amazonses[.]com. DKIM passed with a verified signature for elferschmiede[.]de. DMARC passed with compauth=100.

Then the message hit votiro-relay2.prod.votiro[.]com (44[.]206[.]222[.]91), a content disarm and reconstruction (CDR) gateway. Votiro's sanitization process modified the message payload, which invalidated the DKIM body hash. When the relay re-injected the message from its own EC2 IP address, SPF failed because that IP is not in Amazon SES's authorized sender list. The final authentication results at the recipient's Microsoft 365 gateway: SPF fail, DKIM fail (body hash mismatch), DMARC fail, compauth=none reason=405.

Despite triple authentication failure, the message was delivered. The X-Forefront-Antispam-Report header shows SCL:-1 and IPV:CAL, meaning the Votiro relay IP was on the organization's connection allow list. The CDR gateway, deployed to protect against malicious content, inadvertently became the mechanism that broke authentication while simultaneously whitelisting its own delivery path.

The Verizon DBIR 2024 found that over 50% of breaches involved credentials. When authentication results are unreliable due to legitimate intermediary processing, organizations need detection models that evaluate behavioral signals independently of SPF/DKIM/DMARC outcomes.

Observed Indicators: Nested Delivery and QR Infrastructure

Defending Against Nested Delivery and Embedded QR Payloads

This attack exploited three structural limitations in standard email security stacks: body analysis that stops at the outer message, link scanning that requires URLs to exist, and authentication models that cannot account for legitimate relay modification.

Recursive attachment inspection is non-negotiable. If your email security platform does not unpack and analyze nested RFC 822 attachments, including their headers, body content, and inline images, attacks like this pass through cleanly. The nested From header impersonation alone should trigger elevated scrutiny. IRONSCALES community intelligence flagged this sender as high-risk based on cross-organization pattern matching, catching what static scanning missed.

QR code detection must extend to CID-referenced images. Standard QR code attack protection that only scans images in the outer message body will miss this delivery method entirely. Detection engines need to decode QR content from inline attachments at every nesting level.

Audit your CDR gateway's authentication impact. Organizations running Votiro, Proofpoint TAP, or similar sanitization relays should verify that downstream authentication failures are accounted for in their detection logic. According to CISA's phishing guidance, authentication results are a foundational signal, but they are only useful when the relay architecture preserves them. A CDR gateway that breaks DKIM while sitting on an IP allow list creates a permanent authentication blind spot.

Weight first-time sender signals heavily. This was the sender's first email to the target organization. A first-time external sender delivering an empty-body email with a nested .eml attachment marked as highest priority is a pattern cluster that behavioral models can catch without any URL or content analysis. The IBM Cost of a Data Breach 2024 report pegged the average breach cost at $4.88 million. The cost of flagging a first-time sender with an anomalous delivery pattern is zero.

The attacker needed no novel malware, no zero-day exploit, no sophisticated infrastructure. They needed an Amazon SES account, a QR code generator, and the knowledge that nesting an email inside an email moves the payload beyond the reach of most security stacks.