TL;DR An attacker sent a property management-themed XLSX to a regional insurance firm. The file contained zero macros, and the email body was a polite two-sentence note with a legitimate-looking signature. Every authentication check passed via Microsoft infrastructure. The actual payload was a redirect URL buried in the workbook shared strings and drawing relationships, pointing to an AiTM credential harvesting kit. The clickable element was an image rendered as a REVIEW DOCUMENT button, hiding the link destination from standard preview. IRONSCALES Themis flagged the message at 90% confidence based on first-time sender signals and VIP recipient targeting, quarantining three mailboxes before any user interaction.
Severity: High Credential Harvesting Aitm Phishing MITRE: T1566.001 MITRE: T1204.002 MITRE: T1027 MITRE: T1557 MITRE: T1036.005
The email looked like every routine document share a claims adjustment firm receives in a week. Two sentences: "Please see attached for your review. If you have any questions, please don't hesitate to reach out." A name, a company signature, a North Carolina street address, a phone number. No urgency markers. No credential requests. No links in the body at all.
The attachment was a 177KB XLSX file. No macros. No VBA project. No embedded OLE objects. Every scanner that keys on macro presence, executable content, or active scripting would pass this file clean.
The credential harvesting mechanism was inside the workbook archive, embedded in XML components that most security tools never inspect.
The Payload Was in the Package, Not the Code
XLSX files are ZIP archives. Inside the archive, xl/sharedStrings.xml stores text content and xl/drawings/ stores visual elements. This file used both.
The shared strings contained the text: "Please click the REVIEW DOCUMENT above to access document." The drawing relationships linked an image element to hxxps://praadconsulting[.]com/mol/sharep-redirect[.]html. When a user opened the spreadsheet, they saw what appeared to be a branded document review page with a prominent REVIEW DOCUMENT button. That button was an image with a hyperlink bound through the drawing XML, not a cell formula or macro (T1027).
Clicking the image launched the default browser to the redirect URL. No macro warning fired. No Protected View prompt intercepted it. The user interaction was identical to clicking a hyperlink in any normal document (T1204.002).
The Redirect Led to an AiTM Kit
The sharep-redirect[.]html path pattern on praadconsulting[.]com is documented across multiple public sandbox analyses as a staging page for adversary-in-the-middle credential harvesting infrastructure (T1557). The "sharep" prefix mimics SharePoint URL patterns, and the redirect page routes victims to a credential harvesting portal that proxies the real Microsoft login flow in real time.
AiTM kits do not just capture passwords. They proxy the entire authentication session, intercepting the session token generated after MFA completion. According to the Microsoft Digital Defense Report 2024, AiTM phishing has become one of the most effective techniques for bypassing multi-factor authentication. The FBI IC3 2024 Annual Report documents $2.9 billion in reported losses from business email compromise, with credential theft serving as the primary initial access vector.
This is what makes the no-macro approach effective. The file itself is structurally benign by every conventional scanner metric. The danger lives in the URL destination, which is only reachable after a user opens the file and clicks the image.
See Your Risk: Calculate how many threats your SEG is missing
Authentication Passed. Every Check.
The sender domain cedarcreekmanagement[.]com has been registered since 2013 via GoDaddy. MX records point to cedarcreekmanagement-com[.]mail[.]protection[.]outlook[.]com, confirming a Microsoft 365 tenant. The email traversed Microsoft protection infrastructure with SPF pass, DKIM pass (signed via onmicrosoft[.]com), DMARC bestguesspass, and compauth=pass (T1566.001).
Every authentication gate cleared. The domain is not a fresh registration. The mail path is clean Microsoft infrastructure end to end.
This is the core problem with authentication-only defenses. SPF, DKIM, and DMARC validate that the sending server is authorized to use the domain. They say nothing about whether the content is malicious. A compromised M365 tenant, or one purpose-built for phishing, sends fully authenticated mail that passes every check. The Verizon 2024 DBIR found that stolen credentials remain the top initial access method in breaches. CISA's phishing guidance emphasizes that email authentication verifies origin, not intent, and recommends layered behavioral analysis alongside protocol-level checks.
The domain had no public website. The sender was a first-time contact to this organization. Those are behavioral signals, not protocol signals.
What Themis Caught at 90% Confidence
The IRONSCALES platform flagged this message at 90% confidence before any recipient opened the attachment.
The scoring combined several contextual indicators. The sender had no prior relationship with any mailbox in this organization. The attachment carried a malicious verdict from content analysis. The recipient was flagged as a VIP target. And the sending domain, despite passing authentication, had no established communication pattern with the recipient domain.
No single indicator would have justified quarantine. A first-time sender is not inherently suspicious. A 177KB XLSX is a normal business file. A passed authentication result is the expected outcome for legitimate mail. But the combination of first-time sender, malicious attachment verdict, VIP targeting, and no prior domain relationship produced a compound score that triggered quarantine across three mailboxes.
Credential harvesting protection at scale requires this kind of compound signal evaluation. The file had no macros to flag. The email body had no links to scan. The authentication checks all passed. Only behavioral context, the relationship graph between sender and recipient, surfaced the threat (T1036.005).
According to IBM's 2024 Cost of a Data Breach report, phishing-initiated breaches cost an average of $4.88 million. When the payload hides in XML archive structures rather than executable code, the detection surface shrinks to behavioral analysis or nothing.
Three mailboxes quarantined. Zero users compromised. The XLSX had no macros. It did not need them.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Domain | cedarcreekmanagement[.]com | Sender domain (registered 2013, M365 tenant) |
| Domain | praadconsulting[.]com | AiTM credential harvesting redirect host |
| URL | hxxps://praadconsulting[.]com/mol/sharep-redirect[.]html | Embedded redirect in XLSX drawing relationships |
| Email | office@cedarcreekmanagement[.]com | Sender address |
| File (MD5) | 1ec16ec7e816833b4c14a49365260a1a | Malicious XLSX attachment |
| File (SHA-256) | 7672a16252cc517e54d5548df49a5813bd75e965332fc560831ba80eb725357d | Malicious XLSX attachment |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
