The Patent Filing Deadline That Came From the Wrong Domain

Someone knew exactly who manages patent filings at an agricultural chemicals company. They knew the law firm. They knew the patent number. They knew the statutory deadline. And they sent three PDFs that looked like routine compliance forms, through an email that passed every authentication check in the chain.

One of those PDFs contained 27 hidden Windows executable signatures buried inside compressed object streams. Every scanner called it clean.

The Firm Was Real. The Domain Was Not.

D.P. Ahuja & Co. is a legitimate Indian intellectual property law firm. Their actual domains are dpahuja[.]sg and dpahuja[.]com. The email that arrived in three patent team inboxes came from dpapatents@dpahuja[.]co.

That one TLD difference (.co instead of .sg) is the entire attack.

The attacker configured dpahuja[.]co with valid SPF records and routed the message through Microsoft 365 infrastructure. The sending IP (2a01:111:f403:c408::3) belonged to Microsoft's outbound protection servers. SPF passed. DMARC passed. ARC evaluations across multiple Microsoft gateways confirmed the trust chain. The only gap: DKIM showed "none" because the message was never signed.

None of that mattered. Authentication confirmed the message came from dpahuja[.]co. It did not, and cannot, confirm whether dpahuja[.]co is the domain the recipients should trust. The Microsoft Digital Defense Report 2024 documents this exact gap: business email compromise campaigns increasingly use domains with fully valid authentication records, registered specifically for impersonation.

Targeting That Only Works With Reconnaissance

This was not a mass campaign. The email went to three specific people in the patent compliance function at a global agricultural chemicals firm. The subject line referenced a real Indian patent number (251264), a real application number (1629/KOLNP/2007), and a real statutory requirement: the Form 27 working report that patent holders must file with the Indian Patent Office.

The deadlines were plausible. Instructions requested by May 30, 2026. Filing deadline September 30, 2026. The fee schedule broke costs across three fiscal years, totaling INR 30,400 (roughly USD 350), small enough to process without executive approval at most companies.

Every detail was designed to fit seamlessly into the workflow these three recipients handle regularly. This is what makes spearphishing with attachment delivery (T1566.001) effective: the social engineering is indistinguishable from the real process it imitates.

The FBI IC3 2024 report tracked $2.9 billion in BEC losses. Advance-fee schemes targeting professional services workflows (legal filings, tax compliance, vendor invoices) account for a growing share because they exploit trust relationships that already involve money changing hands.

Three PDFs, Three Verdicts, One Problem

The email carried three PDF attachments, all named as Form 27 working reports for different fiscal years. Each was over 1 MB, contained AcroForm interactive fields (48 fields in the largest), and looked consistent with legitimate fillable government forms.

Static analysis returned clean verdicts on every file. No JavaScript. No launch actions. No OpenAction triggers. No encryption flags. By every conventional scanner check, these were safe documents.

Deeper inspection of the first attachment (hash: 20476c7258b685f1b302f666e491b122, 1.1 MB) found 27 occurrences of MZ byte signatures inside compressed object streams. MZ (4D 5A) marks the beginning of a Windows PE executable (T1204.002). While no adjacent PE\x00\x00 headers were confirmed (the fragments may exist within compressed binary data), 27 MZ occurrences in a tax compliance form is not normal.

A second attachment could not be opened by the sandbox environment at all. Its "clean" verdict was based on metadata alone, never verified through actual analysis. The third PDF showed standard AcroForm fields with no anomalies.

This combination of masquerading as legitimate documents while potentially embedding executable content inside trusted formats aligns with T1036.005 (Masquerading: Match Legitimate Name or Location) in the MITRE ATT&CK framework.

See Your Risk: Calculate how many threats your SEG is missing

The Signal That Authentication Could Not Produce

The Themis Adaptive AI engine flagged this message at 68% confidence on behavioral signals that authentication protocols do not evaluate. The sender domain dpahuja[.]co was not in the organization's established communication pattern. The display name matched a known external contact, but the domain did not match the expected TLD.

This is a detection problem that DMARC was never designed to solve. DMARC answers "Did this come from the domain it claims?" Behavioral analysis answers "Is this the domain this organization normally communicates with?" The difference between those two questions is the gap attackers walk through.

Across the IRONSCALES community of 35,000+ security professionals, similar campaigns had already been surfacing: lookalike TLDs, passing authentication, legal-themed attachments targeting multinational companies with patent exposure in specific jurisdictions. Community intelligence elevated the pattern before it could escalate.

The Verizon 2024 DBIR found the human element involved in 68% of breaches. Here, the humans did not fail. The three recipients never opened, clicked, or responded. The failure was the infrastructure layer that confused authentication with trust. The affected mailboxes were quarantined, first on March 31, then across additional affected accounts on April 7.

Indicators of Compromise

Why IP Teams Are High-Value Phishing Targets

Patent compliance workflows involve real deadlines, real fees, and real law firms that communicate via email with attachments. That makes them a natural target for impersonation campaigns.

Security teams reviewing email security policies should consider three things this case demonstrates. First, email authentication confirms domain ownership, not domain legitimacy. A lookalike domain with valid SPF and DMARC records will pass every check. Second, static PDF scanning that stops at the top-level structure misses content embedded in compressed object streams. Deep extraction is the only way to catch payloads like MZ signatures hidden below the surface. Third, advance-fee fraud targeting professional services functions does not need malicious links or exploit code. The fee table itself is the payload, and USD 350 is engineered to fall below most approval thresholds.

CISA's phishing guidance emphasizes verifying sender identity through independent channels before processing requests, especially when money is involved. For IP teams handling patent filings across jurisdictions, that verification step is the difference between a routine filing and a fraudulent one.