PE Executable Concealed in a JPEG, Nested Inside an RFC822 Email: The COSCO Bill-of-Lading Lure

The email is a payment confirmation. The sender is a known logistics contact. The attachment is a JPEG image from a COSCO shipping bill of lading. This is normal. This is exactly the kind of document that flows through manufacturing and import/export operations every day.

Inside that JPEG, at byte offset approximately 4888, is a Windows PE executable.

The Two-Layer Wrapper That Hides the Payload

This delivery chain had two structural layers designed to prevent inspection. The outer layer was an RFC822 attachment, a MIME structure typed message/rfc822, which means the attachment is itself a complete email message. To reach the payload, a security tool must parse the outer email, identify the RFC822 part, then parse the inner email's MIME structure as a separate message, find its JPEG attachment, and finally inspect the JPEG for anomalies.

Many attachment scanners are designed to handle flat MIME structures. An RFC822 wrapper adds a recursive parsing requirement that reduces the population of scanners that will actually inspect the inner content. The inner email, once parsed, contains image001.jpg as its sole attachment.

The JPEG passes the first inspection: magic bytes at offset zero are valid JPEG header bytes. MIME-type detection declares it an image. Extension-based routing sends it down the image inspection path rather than the executable inspection path. Standard antivirus relying on file-type signatures sees a JPEG, not a PE.

What it misses is that the MZ signature, 4D 5A, the two-byte header that marks the beginning of a Windows PE executable, appears at approximately offset 4888 inside the image data. The pixel content above that point is valid JPEG. Below it, the entropy changes: the least significant bits of the image data carry packed binary content with a statistical distribution inconsistent with natural image pixel noise. This is the steganographic concealment mechanism.

The Lure: COSCO, Bill of Lading, Payment Confirmation

The social engineering context was carefully chosen for its target environment. COSCO (China Ocean Shipping Company) is one of the world's largest container shipping lines. A bill of lading with a COSCO reference number (COSU[redacted]) arriving inside a payment-confirmation email from a logistics partner is an entirely routine document for any company that moves physical goods internationally.

Malware delivery operations that embed payloads in industry-specific document lures are targeting the habituation that makes those industries efficient. A procurement or logistics employee who processes dozens of shipping documents per week has learned not to treat every JPEG attachment as suspicious. That learned behavior is the attack surface.

The sender appeared to come from a compromised Mexican logistics company, a domain with a long legitimate business history. A compromised legitimate sender is a victim, not an attacker. The domain had been active for years before this incident, with normal business mail patterns. The attacker gained access to it and used its reputation to deliver a message that would otherwise have been treated with greater suspicion from an unknown sender.

See Your Risk: Calculate how many threats your SEG is missing

Links in the message that pointed to the Monex financial portal were legitimate. This is a deliberate attacker choice: including clean, recognizable links in the message body improves the overall reputation score of the message in reputation-based filtering systems. The payload was not in the links. It was in the image.

What Detection Looks Like Without Magic-Byte Matching

IRONSCALES Adaptive AI flagged this message at 67% confidence and resolved it as phishing. The detection did not rely on a file hash match or a magic-byte PE signature at offset zero. It evaluated the combination of signals: an RFC822-wrapped attachment from a first-time contact, a JPEG with anomalous entropy in its pixel data, and a message structure that used a legitimate link layer to offset attention from the attachment.

Invoice fraud detection based purely on content keywords would find nothing to act on here. There is no urgency language, no wire transfer request, no obviously spoofed display name. The threat is entirely in the technical construction of the attachment.

The behavioral analysis recognized that the message-within-a-message wrapping pattern, combined with an image showing entropy inconsistent with natural JPEG compression, represented an anomaly that warranted a hold regardless of what the outer message content claimed to be.

Implications for Attachment Inspection

The MITRE ATT&CK framework classifies this technique under Obfuscated Files or Information (T1027), specifically the use of steganography to conceal payloads. The Verizon DBIR 2026 identifies malware delivery via email attachment as a persistent initial access vector across manufacturing and logistics verticals. CISA guidance on email-based malware advises that unexpected attachments from external contacts warrant verification through a separate channel before opening, even when the sending address appears familiar.

For security teams defending manufacturing and logistics environments, this case illustrates three gaps worth closing.

Recursive MIME parsing. Scanners must be configured or selected to recursively unpack RFC822-wrapped attachments and inspect inner-message content, not just the outer MIME structure.

Entropy-based image inspection. LSB entropy analysis of inbound JPEG and PNG attachments can surface steganographic payloads that bypass extension and magic-byte checks. The technique is computationally inexpensive relative to full sandbox detonation.

Compromised-sender detection. An aged legitimate domain sending its first message to a given mailbox with an unusual attachment structure deserves the same scrutiny as a newly-registered domain. The legitimacy of the sending domain's history does not validate the legitimacy of the specific message being sent.

The JPEG is not the document it claims to be. The email carrying it is not the routine logistics notice it appears to be. Every layer of this attack was designed to be mistaken for something normal.

---