The authentication headers were clean. The link resolved to a legitimate platform. The email body read like a routine document share. What the infrastructure could not see was that the From and To headers contained the same address, a pattern that does not occur in normal business correspondence and is one of the earliest observable signals of a compromised sending account.
A long-established salvage-industry company relayed this message through Barracuda's outbound email security gateway. SPF passed because 209.222.82.237, Barracuda's outbound IP, was listed as a permitted sender for the domain. DMARC passed on the strength of that SPF result. Four recipient mailboxes were flagged and quarantined. The email carried a PandaDoc document link with an embedded access token and a business-style signature that matched the company's public profile. None of the standard authentication checks produced a failure.
In a legitimate one-to-one business message, the From header contains the sender's address and the To header contains the recipient's address. They are different. When both headers contain the same address, the message was either generated by an automated system, assembled by a mailing-list platform, or produced by a compromised account where the attacker did not correctly populate the recipient field before delivery.
The header evidence in this case:
`` From: "the account owner" <[local-part withheld]@rcfllc[.]com> To: "the account owner" <[local-part withheld]@rcfllc[.]com> ``
The display name, local-part, and domain are identical across both fields. This is not a display-name mismatch or a Reply-To diversion. Both the human-readable label and the SMTP address itself were the same. That pattern, combined with the sender's risk level flagged as high and the multi-mailbox quarantine outcome, is consistent with email account compromise: an attacker who has authenticated to the mailbox and is using the account's own outbound infrastructure to distribute links.
MITRE ATT&CK T1566.001 describes spearphishing via attachment or link. T1534 (internal spearphishing) is relevant when a compromised account is used to target recipients who would recognize the sender. T1078 (valid accounts) captures the access method: not a spoofed domain, but a real account whose credentials or session the attacker controlled.
The link in this email pointed to hxxps://app[.]pandadoc[.]com/document/v2?token=809b996b134dd1df221c3c19a7e1ea86beffc6c9. PandaDoc is a legitimate document-signing and contract-management platform. Its domain carries no threat-feed entries. An email gateway scanning this URL sees valid TLS, an HTTP 200 response from a trusted SaaS vendor, and no redirect chain leading to attacker infrastructure. The verdict is low-risk.
What the gateway cannot see is what the document contains after the access token is redeemed. PandaDoc documents can include embedded links, form fields that collect credentials, and instructions to navigate to external pages. The token in this URL acts as an authentication bypass: any recipient who clicks the link is shown the document without needing a PandaDoc account. In the case under review, the automated DOM inspection of the document's internal content failed to complete, which means the payload inside the document was never confirmed.
That outcome is itself the story. An attacker who routes a credential-collection form through a trusted document platform gains two advantages simultaneously: the email-layer link scan sees only the trusted host, and if the document is later deleted or token-expired, forensic inspection becomes impossible. Account takeover via trusted-platform delivery is the technique category that covers both the compromise method and the delivery mechanism.
See Your Risk: Calculate how many threats your SEG is missing
The Barracuda outbound gateway (outbound-ip62a.ess.barracuda.com) is a legitimate enterprise mail relay. Organizations configure it as an authorized sender in their SPF records and route outbound mail through it for scanning and compliance. When an attacker compromises an account at a Barracuda customer, they inherit the customer's full sending infrastructure: Barracuda's outbound IPs pass SPF, DMARC evaluates against a passing SPF result, and the message arrives at the recipient's gateway with full authentication compliance.
The ARC (Authenticated Received Chain) headers in this message showed arc=fail at one hop. ARC failure indicates that intermediate message handling modified the message after an earlier hop signed the ARC seal. This is not conclusive evidence of manipulation (legitimate forwarding can break ARC), but it adds to the behavioral signal set. A message that passes SPF and DMARC while showing ARC failure has been handled by at least one intermediate layer that altered it.
The combination of signals (From=To header anomaly, ARC failure, high sender risk designation, and multi-mailbox quarantine outcome) is the detection surface for credential harvesting operations that route through compromised legitimate accounts. Individual signals are explainable. The pattern across signals is not.
| Type | Indicator | Context |
|---|---|---|
| Sender domain | rcfllc[.]com | Long-established salvage-industry company domain; compromised-legitimate sender; SPF/DMARC pass via Barracuda relay |
| Document link | hxxps://app[.]pandadoc[.]com/document/v2?token=809b996b134dd1df221c3c19a7e1ea86beffc6c9 | PandaDoc access token link; DOM inspection incomplete; document payload unconfirmed |
| Header anomaly | From = To = [account owner address][@]rcfllc[.]com | Both fields contain identical sender address; consistent with compromised-account sending |
| Relay | outbound-ip62a.ess.barracuda.com (209.222.82.237) | Authorized Barracuda outbound gateway; SPF pass via gateway IP |
| ARC result | arc=fail (hop 47) | ARC failure indicates intermediate message modification; not conclusive but adds to behavioral signal set |
| Attack | What happened |
|---|---|
| The SharePoint Guest Link That Passed Every Authentication Check | A fully authenticated SharePoint guest-link bypassed SPF, DKIM, DMARC. |
| Password-Protected PDFs Are the New Sandbox Killer: How a Compromised .gov Account Delivered an Unopenable Payload | A compromised government education account sent a password-protected PDF with the passcode in the email body, bypassing every automated scanner. |
| The Auth0 Developer Tenant That Passed Every Security Check (Because It Was Real) | An attacker weaponized Auth0's free developer tenant to build a phishing chain that passed DKIM, DMARC, and every link scanner. |
| The Lab Result Notification That Every Security Check Approved (Because the Platform Was Real) | A credential harvest targeting healthcare portal logins arrived through bridgeinteract.io, a legitimate HIPAA-adjacent patient engagement platform. |
| The Webinar Invite That Came With an Apple Wallet Pass and a Three-Hop Redirect Chain | A Google Calendar invite for a fake AI webinar passed full authentication and carried an .ics file, an Apple Wallet .pkpass. |