TL;DR A salvage-industry company relayed an email through Barracuda's outbound gateway with SPF pass, DMARC pass, and a clean PandaDoc document link. The authentication story looked legitimate. But the From and To headers both contained the same address, a pattern consistent with automated or manipulated messages from a compromised account. Four mailboxes were quarantined. Because the PandaDoc document's DOM could not be inspected, the credential-harvest payload was never confirmed. The trusted platform was the point. Content inside a PandaDoc document is invisible to email-layer scanning, and the account-takeover signal in the headers was the earliest available warning.
Severity: High Email-Account-Compromise Account-Takeover Credential-Harvesting MITRE: T1566.001 MITRE: T1534 MITRE: T1078
The authentication headers were clean. The link resolved to a legitimate platform. The email body read like a routine document share. What the infrastructure could not see was that the From and To headers contained the same address, a pattern that does not occur in normal business correspondence and is one of the earliest observable signals of a compromised sending account.
A long-established salvage-industry company relayed this message through Barracuda's outbound email security gateway. SPF passed because 209.222.82.237, Barracuda's outbound IP, was listed as a permitted sender for the domain. DMARC passed on the strength of that SPF result. Four recipient mailboxes were flagged and quarantined. The email carried a PandaDoc document link with an embedded access token and a business-style signature that matched the company's public profile. None of the standard authentication checks produced a failure.
The From=To Header Pattern and What It Reveals About Account State
In a legitimate one-to-one business message, the From header contains the sender's address and the To header contains the recipient's address. They are different. When both headers contain the same address, the message was either generated by an automated system, assembled by a mailing-list platform, or produced by a compromised account where the attacker did not correctly populate the recipient field before delivery.
The header evidence in this case:
`` From: "the account owner" <[local-part withheld]@rcfllc[.]com> To: "the account owner" <[local-part withheld]@rcfllc[.]com> ``
The display name, local-part, and domain are identical across both fields. This is not a display-name mismatch or a Reply-To diversion. Both the human-readable label and the SMTP address itself were the same. That pattern, combined with the sender's risk level flagged as high and the multi-mailbox quarantine outcome, is consistent with email account compromise: an attacker who has authenticated to the mailbox and is using the account's own outbound infrastructure to distribute links.
MITRE ATT&CK T1566.001 describes spearphishing via attachment or link. T1534 (internal spearphishing) is relevant when a compromised account is used to target recipients who would recognize the sender. T1078 (valid accounts) captures the access method: not a spoofed domain, but a real account whose credentials or session the attacker controlled.
Why the PandaDoc Link Was the Right Delivery Vehicle
The link in this email pointed to hxxps://app[.]pandadoc[.]com/document/v2?token=809b996b134dd1df221c3c19a7e1ea86beffc6c9. PandaDoc is a legitimate document-signing and contract-management platform. Its domain carries no threat-feed entries. An email gateway scanning this URL sees valid TLS, an HTTP 200 response from a trusted SaaS vendor, and no redirect chain leading to attacker infrastructure. The verdict is low-risk.
What the gateway cannot see is what the document contains after the access token is redeemed. PandaDoc documents can include embedded links, form fields that collect credentials, and instructions to navigate to external pages. The token in this URL acts as an authentication bypass: any recipient who clicks the link is shown the document without needing a PandaDoc account. In the case under review, the automated DOM inspection of the document's internal content failed to complete, which means the payload inside the document was never confirmed.
That outcome is itself the story. An attacker who routes a credential-collection form through a trusted document platform gains two advantages simultaneously: the email-layer link scan sees only the trusted host, and if the document is later deleted or token-expired, forensic inspection becomes impossible. Account takeover via trusted-platform delivery is the technique category that covers both the compromise method and the delivery mechanism.
See Your Risk: Calculate how many threats your SEG is missing
Barracuda as the Trusted Relay and the ARC Failure Signal
The Barracuda outbound gateway (outbound-ip62a.ess.barracuda.com) is a legitimate enterprise mail relay. Organizations configure it as an authorized sender in their SPF records and route outbound mail through it for scanning and compliance. When an attacker compromises an account at a Barracuda customer, they inherit the customer's full sending infrastructure: Barracuda's outbound IPs pass SPF, DMARC evaluates against a passing SPF result, and the message arrives at the recipient's gateway with full authentication compliance.
The ARC (Authenticated Received Chain) headers in this message showed arc=fail at one hop. ARC failure indicates that intermediate message handling modified the message after an earlier hop signed the ARC seal. This is not conclusive evidence of manipulation (legitimate forwarding can break ARC), but it adds to the behavioral signal set. A message that passes SPF and DMARC while showing ARC failure has been handled by at least one intermediate layer that altered it.
The combination of signals (From=To header anomaly, ARC failure, high sender risk designation, and multi-mailbox quarantine outcome) is the detection surface for credential harvesting operations that route through compromised legitimate accounts. Individual signals are explainable. The pattern across signals is not.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sender domain | rcfllc[.]com | Long-established salvage-industry company domain; compromised-legitimate sender; SPF/DMARC pass via Barracuda relay |
| Document link | hxxps://app[.]pandadoc[.]com/document/v2?token=809b996b134dd1df221c3c19a7e1ea86beffc6c9 | PandaDoc access token link; DOM inspection incomplete; document payload unconfirmed |
| Header anomaly | From = To = [account owner address][@]rcfllc[.]com | Both fields contain identical sender address; consistent with compromised-account sending |
| Relay | outbound-ip62a.ess.barracuda.com (209.222.82.237) | Authorized Barracuda outbound gateway; SPF pass via gateway IP |
| ARC result | arc=fail (hop 47) | ARC failure indicates intermediate message modification; not conclusive but adds to behavioral signal set |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
