The Payoff Letter With a Blank Body, a Trust Account, and a Token That Said 'bypasszix'

The email body was blank. Not "brief." Blank. The raw content was Microsoft Word boilerplate and a non-breaking space, the kind of output you get when someone composes in Word, deletes everything, and hits send. The subject line read "Payoff Letter-bypasszix." The attachment was a PDF containing a law firm letterhead, a judgment balance, a payoff deadline, and instructions to send payment to a named trust account.

Every scanner that inspected the attachment returned a clean verdict. The email passed SPF, ARC, and DKIM. The sender domain belonged to a mid-size law firm, registered in 2000 through Network Solutions, with MX records pointing to Microsoft protection infrastructure. Nothing triggered.

The Subject Line That Told on Itself

The token bypasszix in the subject line is the most revealing artifact in this case. Zix (now part of Cisco Secure Email) is an encryption gateway that inspects outbound email for sensitive content and routes matching messages through a secure delivery portal. Some organizations configure Zix to use subject-line keywords to control encryption behavior, allowing authorized senders to flag messages for bypass.

The presence of this token in an inbound email suggests one of two things: the sending account was compromised by someone who understood the organization's mail flow rules, or the token was included speculatively in case the recipient's environment used Zix-style keyword routing. Either way, it signals operational awareness of secure email gateway infrastructure that goes beyond a generic phishing template.

See Your Risk: Calculate how many threats your SEG is missing

A PDF That Scanners Had No Reason to Flag

The attachment, Payoff Letter (AutoRecovered).pdf, was 167 KB and a single page. OCR extraction revealed a law firm letterhead, a judgment balance of $1,338.18, a payoff good through May 31, 2026, and instructions to make checks payable to a trust account. No embedded URLs. No JavaScript. No macros. No executable content.

From a scanner's perspective, this PDF was a clean document. The threat was not in the file's structure but in its content: payment instructions directing funds to an account the recipient had no way to independently verify from the email alone. This is the core challenge of invoice fraud and payment diversion attacks. The payload is information, not code. No signature can match it. No sandbox can detonate it.

The (AutoRecovered) suffix in the filename is another oddity. It suggests the document was recovered from a crash or unexpected close in the authoring application, which is inconsistent with a polished, intentional communication from a law firm's billing department.

The Blank Body as a Design Choice

The empty email body is not accidental. It forces the recipient to open the PDF to understand why the message arrived. Body-content scanners that look for financial keywords, urgency language, or payment instructions find nothing to evaluate. The entire attack surface lives inside the attachment, and the attachment is technically clean. This is a deliberate architecture: minimize what scanners can see, maximize what the recipient must act on.

Themis flagged the combination: a first-time sender from a law firm domain, a blank body with an attachment containing financial instructions, and the bypasszix subject-line token. The behavioral pattern, not any single technical indicator, drove the detection.

Indicators of Compromise

MITRE ATT&CK Mapping