Two mailboxes at a Florida law firm received the same email at the same moment. Both were quarantined within 26 seconds. No user ever opened the attachment. No scanner flagged the file as malicious. The verdict from every automated tool in the chain was the same: clean.
That gap between "clean" and "safe" is exactly where this attack was designed to live.
See how IRONSCALES catches password-protected attachment attacks
The email arrived on March 31, 2026, with the subject line "Completed Document : Approved New Statement from Georgia Department of Education." The body was minimal: a professional greeting, a 10-digit passcode, and a single instruction to review the attached document.
Everything else in the email was borrowed legitimacy. The message carried real Georgia Department of Education branding, including the official logo, a promotional banner for the PEACH Education Tax Credit program, and a recognition banner for the 2026 National Teacher of the Year Finalist. The footer included a real superintendent's name and a real Atlanta address. Every embedded link in the email pointed to legitimate state agency websites. Scanners that checked those URLs returned clean results, because the URLs themselves were clean.
The sending account traced to a paraprofessional at the Georgia Academy for the Blind, a unit of the state education agency. The account used Microsoft's Office365 outbound infrastructure. SPF passed. DKIM passed against the state education domain. DMARC passed. Two ARC seals validated the message chain. There was nothing in the authentication record to suggest anything was wrong, because the account being used appeared to be a real, legitimate government account that was likely compromised.
The attachment was branded as an official state education record. It was password-protected.
Here is the specific move that makes this technique effective, and instructive.
Automated sandboxes analyze attachments by attempting to open and detonate them. A password-protected PDF stops that process completely. Without the password, the sandbox sees an encrypted file it cannot read. The static scanner verdict is "clean," not because the file is safe, but because the scanner cannot see inside it.
The attacker's solution to the human-access problem was also the attacker's weapon against detection: put the password in the email body. The recipient has everything they need to open the file. The sandbox has nothing.
This is MITRE ATT&CK T1027, Obfuscated Files or Information, applied specifically to block detonation. The obfuscation is not sophisticated in a technical sense. It is deliberate in a strategic sense. The attacker is not trying to hide the password from the human. The attacker is exploiting the fact that automated systems cannot read context the way a person does.
Microsoft ATP processed the email and assigned it a spam confidence level of 1 (low), landing it cleanly in the inbox. That outcome was predictable. The authentication was legitimate, the URLs were clean, and the payload was a locked file that returned no signals.
The attack chain maps across three MITRE techniques: T1566.001 for spearphishing with an attachment, T1027 for the password-protection evasion, and T1078 for the use of what appears to be a valid, compromised government account as the delivery mechanism. That last technique matters here because it explains why every authentication check passed. The attacker did not spoof a government domain. They used a real one.
Learn how Themis detects evasion techniques
One behavioral signal in this email deserved attention on its own. The "To:" field showed the sender emailing themselves. The Florida law firm employees received the email as BCC recipients, or through another routing method that obscured their addresses from the visible header.
This is a deliberate targeting technique. When a recipient does not see their own email address in the "To:" field, they are less likely to question why they received the message. It creates a small cognitive gap. The email looks like it was intended for someone else, which can reduce skepticism about why it arrived. For a document notification from a government agency, the omission goes largely unnoticed.
It also complicates automated analysis. Rules and filters that flag mismatches between "To:" addresses and actual recipients can catch this, but many environments are not configured to treat BCC delivery from external senders as a risk signal.
| Type | Indicator | Context |
|---|---|---|
| File hash (MD5) | bc4b336fd7a461d05da3e00d68e9975d | Password-protected PDF attachment |
| Sending domain | doe[.]k12[.]ga[.]us | Legitimate state education domain, likely compromised account |
| Attachment name | Redacted (branded as official state education record) | PDF lure document |
The payload in this case is unknown. Because the sandbox could not open the file, the final-stage intent remains unconfirmed. That ambiguity is itself a teaching point. Password-protected attachments are increasingly used not only for credential harvesting but for malware delivery, specifically because the payload type cannot be determined without the password.
The FBI IC3 2023 Internet Crime Report documented over $2.9 billion in BEC losses, with a significant share attributed to social engineering techniques that exploit trusted communication channels. CISA's guidance on phishing-resistant authentication notes that authentication controls alone are insufficient when the sending account itself is legitimate but compromised. Verizon's 2024 Data Breach Investigations Report found that 68% of breaches involved a human element, and phishing remained the leading initial access vector. The IRONSCALES 2023 Email Security Report found that 65% of organizations experienced a phishing attack that bypassed traditional security controls in the previous year.
What stopped this email was not a scanner verdict. IRONSCALES flagged it through a combination of behavioral signals: the password-protected attachment paired with a passcode delivered in the body, a first-time sender from an unusual domain pairing, and community threat intelligence that had seen similar incident patterns previously resolved as phishing. Themis identified the combination as high-risk and quarantined both affected mailboxes within 26 seconds of email receipt.
No user interaction. No attachment opened. No payload detonated.
Password-protected attachment attacks are not new. The technique has been documented as an active evasion method since at least 2020, and CISA has specifically called out encrypted and password-protected attachments as a mechanism used to bypass email gateway inspection. What makes this case worth examining is the completeness of the deception stack.
Legitimate sending infrastructure. Real government branding. Authentic URLs. Passing authentication across every protocol. A payload that cannot be inspected. The only thing missing was a reason for a Florida law firm to receive a document from a state education agency, and social engineering relies on the possibility that the recipient will assume a reason rather than stop to verify one.
For security teams, the operational implications are specific:
Treat passcode-in-body as a risk signal. An email that contains both a password-protected attachment and a passcode to open it is not a routine document workflow. Flag that pattern for review regardless of authentication results or scanner verdicts.
First-time sender analysis needs behavioral context. Authentication passing does not mean the sender is expected. A first-time sender from a government domain contacting a law firm with a protected attachment is a combination that warrants scrutiny.
BCC delivery from external senders is worth monitoring. When recipients are not visible in the "To:" field on an externally-delivered message, that pattern is worth surfacing, even when it does not independently constitute a threat signal.
Unknown payloads are still payloads. The inability to determine what a file contains is not a clean bill of health. If a sandbox cannot detonate an attachment, that outcome should elevate risk posture, not lower it.
Adaptive AI email security works precisely because it evaluates the combination of signals rather than each one in isolation. No single indicator here would have caught this. Together, they described an attack clearly enough to quarantine in under half a minute.
Book a demo to see Themis in action