The email body was blank. Not "brief." Blank. The raw content was Microsoft Word boilerplate and a non-breaking space, the kind of output you get when someone composes in Word, deletes everything, and hits send. The subject line read "Payoff Letter-bypasszix." The attachment was a PDF containing a law firm letterhead, a judgment balance, a payoff deadline, and instructions to send payment to a named trust account.
Every scanner that inspected the attachment returned a clean verdict. The email passed SPF, ARC, and DKIM. The sender domain belonged to a mid-size law firm, registered in 2000 through Network Solutions, with MX records pointing to Microsoft protection infrastructure. Nothing triggered.
The token bypasszix in the subject line is the most revealing artifact in this case. Zix (now part of Cisco Secure Email) is an encryption gateway that inspects outbound email for sensitive content and routes matching messages through a secure delivery portal. Some organizations configure Zix to use subject-line keywords to control encryption behavior, allowing authorized senders to flag messages for bypass.
The presence of this token in an inbound email suggests one of two things: the sending account was compromised by someone who understood the organization's mail flow rules, or the token was included speculatively in case the recipient's environment used Zix-style keyword routing. Either way, it signals operational awareness of secure email gateway infrastructure that goes beyond a generic phishing template.
See Your Risk: Calculate how many threats your SEG is missing
The attachment, Payoff Letter (AutoRecovered).pdf, was 167 KB and a single page. OCR extraction revealed a law firm letterhead, a judgment balance of $1,338.18, a payoff good through May 31, 2026, and instructions to make checks payable to a trust account. No embedded URLs. No JavaScript. No macros. No executable content.
From a scanner's perspective, this PDF was a clean document. The threat was not in the file's structure but in its content: payment instructions directing funds to an account the recipient had no way to independently verify from the email alone. This is the core challenge of invoice fraud and payment diversion attacks. The payload is information, not code. No signature can match it. No sandbox can detonate it.
The (AutoRecovered) suffix in the filename is another oddity. It suggests the document was recovered from a crash or unexpected close in the authoring application, which is inconsistent with a polished, intentional communication from a law firm's billing department.
The empty email body is not accidental. It forces the recipient to open the PDF to understand why the message arrived. Body-content scanners that look for financial keywords, urgency language, or payment instructions find nothing to evaluate. The entire attack surface lives inside the attachment, and the attachment is technically clean. This is a deliberate architecture: minimize what scanners can see, maximize what the recipient must act on.
Themis flagged the combination: a first-time sender from a law firm domain, a blank body with an attachment containing financial instructions, and the bypasszix subject-line token. The behavioral pattern, not any single technical indicator, drove the detection.
| Type | Indicator | Context |
|---|---|---|
| Attachment | Payoff Letter (AutoRecovered).pdf | Single-page PDF with trust account payment instructions (167,116 bytes) |
| Hash (MD5) | e3a01674246b3ea0d718e0b9391a90ad | PDF attachment hash |
| Subject Token | bypasszix | Zix encryption gateway bypass keyword in subject line |
| Technique | ID | Context |
|---|---|---|
| Phishing: Spearphishing Attachment | T1566.001 | PDF payoff letter with trust account payment instructions |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Email sent from legitimate law firm domain with full authentication |
| Attack | What happened |
|---|---|
| The Remit-Change Email That Came With Full Bank Details and a PDF Nobody Could Read | A retail analytics vendor sent a payment update email with ACH routing, wire routing, and account numbers directly in the body. |
| The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion | A Gmail-authenticated BEC used a typosquat Reply-To domain and a hidden HTML mailto mismatch to impersonate a steel distributor's credit manager. |
| The $47,320 Invoice That Came With a W-9 and a Personal Bank Account | A payment diversion attack bundled a $47,320 invoice with ACH/wire remittance instructions pointing to a personal bank account. |
| The Invoice That Originated from the Wrong Continent | An invoice fraud email passed SPF from a legitimate domain but carried an x-originating-ip from South Korea with no PTR record. |
| The Webinar Invite That Came With an Apple Wallet Pass and a Three-Hop Redirect Chain | A Google Calendar invite for a fake AI webinar passed full authentication and carried an .ics file, an Apple Wallet .pkpass. |