TL;DR An email impersonating AICPA targeted a K-12 school district with an urgent 'review your tax filings' lure. The attached PDF carried a hidden /OpenAction that opened a typosquatted Adobe credential page hosted on an attacker-controlled Amazon S3 bucket the moment a user opened the document. DKIM passed for the sender domain, the S3 host served HTTP 200 with valid TLS, and the malicious URL never appeared anywhere in the email body. With no link to scan and a clean-verdict attachment, every gateway layer was bypassed before the credential page ever loaded.
Severity: High Credential-Harvesting Phishing Impersonation MITRE: T1566.001 MITRE: T1204.002 MITRE: T1656
The malicious URL in this attack was never in the email. It was inside the PDF. And it fired automatically, before the victim had finished deciding whether to read the document.
A K-12 school district received an email styled as an AICPA (American Institute of CPAs) legal communication. The subject invoked urgency: tax filings required immediate review. The body carried AICPA branding, a legitimate AICPA mailing-address footer, and a call to action to open the attached file. The sender was abecerra@datasix[.]com[.]mx. DKIM passed for datasix[.]com[.]mx. SPF had no record. The email relayed through Google's smtp-relay.gmail.com with ARC headers signed by google.com. Google's infrastructure, DKIM-passing sender, AICPA visual branding: from the gateway's perspective, this looked like a bulk professional communication with a PDF attachment. What it actually was is the phishing pattern that attachment-based campaigns have refined to bypass body-layer scanning entirely.
The PDF was the weapon.
How /OpenAction Moves the Threat Outside the Scanner's View
PDF's /OpenAction specification allows a document to define an action that executes when the file opens. Legitimate uses include form initialization, page navigation, and view settings. Attackers use the same mechanism to embed a URI launch action: the moment the document opens, the PDF reader silently passes the embedded URL to the default browser.
The URL embedded in this PDF's /OpenAction pointed to hxxps://adob-credtive-cloud-138561989251-us-east-1-an[.]s3[.]us-east-1[.]amazonaws[.]com/index[.]html. The bucket name combined deliberate misspellings ("adob" for Adobe, "credtive" for creative) with a numeric account identifier and an S3 regional endpoint. The result read like an Adobe Creative Cloud asset URL. The landing page returned HTTP 200, served valid TLS, and presented a lightweight credential-harvest prompt.
Three images were attached alongside the PDF. All were benign Figma exports with no payload. Their presence added visual noise: a gateway processing multiple attachments splits attention, and clean image verdicts can create a false sense of a clean-attachment message.
MITRE ATT&CK T1566.001 covers spearphishing via attachment. T1204.002 (user execution: malicious file) captures the trigger mechanism: the user opens the PDF and the /OpenAction fires. T1656 (impersonation) applies to the AICPA identity claim throughout the email body and template.
Authentication Theater and the Trusted-Platform Relay
The email's authentication story is worth examining precisely because it looks like a pass at first glance. DKIM passed for datasix[.]com[.]mx. That is accurate. datasix[.]com[.]mx is a real domain, and DKIM validates that the message genuinely came from a server that domain authorizes. It does not validate that AICPA authorized that server, or that the sender's identity claim is truthful.
SPF had no record for datasix[.]com[.]mx. The relay path through Google's smtp-relay.gmail.com produced ARC headers signed by google.com, which some gateway configurations treat as an authentication endorsement. It is not. ARC preserves the authentication chain; it does not vouch for sender legitimacy.
The Verizon 2026 Data Breach Investigations Report notes that email gateways in analyzed environments see a mix of roughly 80% phishing, 10% malware delivery, and smaller fractions of callback-TOAD and BEC traffic. Attachment-based delivery like this case sits in the malware and phishing overlap: the attachment is the vector, but the goal is credential collection rather than code execution.
See Your Risk: Calculate how many threats your SEG is missing
Why Amazon S3 Was the Right Host for This Attack
URL-reputation feeds are built around domains. amazonaws.com does not appear on threat feeds. When a sandbox follows the S3 URL, it encounters Amazon's own CDN, a valid certificate, and an HTTP 200 response. The credential-harvest HTML is lightweight: no JavaScript exploits, no drive-by downloads, just a form. That keeps it below the threshold that dynamic sandbox analysis would flag for code execution attempts.
The bucket naming strategy reinforces the deception at the victim layer. If the URL ever becomes visible (browser address bar after /OpenAction fires, PDF properties inspection), "adob-credtive-cloud" scans as an Adobe Creative Cloud asset to anyone who does not read character by character. The Microsoft Digital Defense Report 2024 documents a sustained increase in attackers using major cloud platforms as hosting infrastructure, specifically to inherit the reputation of those platforms rather than register and season attacker-owned domains.
The Template Inconsistency That Told the Real Story
Inside the email body, the template showed signs of assembly from multiple sources. AICPA branding and a real mailing-address footer occupied one section. Identity-theft warning language appeared in the body text. Conference-promotion blocks from an unrelated AICPA template appeared in another section. The CTA buttons linked to "#", a placeholder value indicating the template was not fully configured. None of these inconsistencies affect authentication verdicts or URL-reputation scores.
IRONSCALES detected the behavioral anomaly: first-time external sender, professional-body impersonation combined with urgent tax language, a PDF attachment carrying structural actions, and template inconsistencies that a composited phishing kit typically produces. The CISA phishing recognition guidance identifies urgency combined with an unexpected document request as a primary social-engineering indicator. That combination, from an unverifiable sender impersonating a professional authority, defined this attack.
For education-sector organizations, education email security controls need to account for the specific pattern of professional-body impersonation targeting finance and administrative staff: tax authorities, accreditation bodies, and professional associations are common impersonation targets in K-12 environments because staff are conditioned to treat their communications as urgent and authoritative.
The broader defensive requirement is PDF analysis that goes beyond metadata and static signature scanning. Advanced malware and URL attack protection that opens documents in isolation and observes /OpenAction behavior before delivery closes the gap that static attachment scanning leaves open.
Defanged IOC Table
| Type | Indicator | Context |
|---|
| URL | hxxps://adob-credtive-cloud-138561989251-us-east-1-an[.]s3[.]us-east-1[.]amazonaws[.]com/index[.]html | S3-hosted credential-harvest page; typosquatted Adobe name; HTTP 200, valid TLS |
| Sender domain | datasix[.]com[.]mx | DKIM pass; no SPF record; relayed via Google smtp-relay |
| Sender address | abecerra@datasix[.]com[.]mx | First-time external sender; impersonated AICPA |
| PDF mechanism | /OpenAction URI launch | Fires on document open; URL not visible in email body |
| Attachment (benign) | Three Figma-exported images | No payload; served as visual noise alongside malicious PDF |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
