The Distribution Agreement That Arrived with a Thread Full of Latin

The email body was a single confidentiality disclaimer. No greeting, no request, no context. The entire attack lived inside the PDF.

A message from accounting2@gasparinutrition[.]com landed in the inbox of a security company's CEO with the subject "Completed: Signature is required on Distribution Agreement." The sender domain, registered in 2004 through GoDaddy and hosted on Google Workspace, belonged to a legitimate nutrition supplement company. The display name was "Monitoring," a generic label designed to blend into automated notification traffic.

The PDF That Built Its Own Email Thread

The attached PDF presented a "Distribution Settlement Agreement" with a "Review and Sign" button and the recipient's actual email address. Below the signing CTA, the document constructed a fabricated four-reply email thread using names formatted as [lastname], [firstname]@[target-domain] with invented job titles like "Investor Accounts Producer" and "National Paradigm Architect." The thread subjects and bodies, however, were filled with Latin placeholder text: "Bibo vilicus crux sumptus umerus. Labore ea tonsor accommodo clibanus."

This is the output of an automated content generator, likely the Faker library, that the kit operator never customized. The phishing kit fabricated context, names, and organizational structure to make the PDF appear as though it arrived at the end of an existing internal discussion. A recipient scanning quickly would see familiar domain addresses and assume the conversation was real.

DMARC Strict Alignment Stopped the Delivery

The message passed DKIM verification. The signature was cryptographically valid, signed under the selector 20251104 at gasparinutrition-com[.]20251104[.]gappssmtp[.]com. But the sending domain enforced strict DMARC alignment (aspf=s; adkim=s), meaning the DKIM signing domain had to exactly match the header From domain. The gappssmtp[.]com subdomain did not match gasparinutrition[.]com, so DMARC returned fail despite the valid signature. SPF also returned softfail because the domain's SPF record included only spf.dynect.net but not Google's sending infrastructure.

Microsoft scored the message at SCL=5 and routed it to quarantine. The Adaptive AI identified the credential theft pattern and flagged the VIP targeting. The IRONSCALES community confirmed the classification with high confidence.

The combination of strict alignment policy and behavioral detection caught what a DKIM-only check would have missed.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping