The email looked like a routine supplier request. A UK-based food quality company asked the recipient to complete a "Free From Warranty renewal" form. The PDF was clean. The DOCX was clean. The branding images looked normal. SPF, DKIM, and DMARC all passed under a p=reject policy. Every automated check said this was a legitimate business communication.
Buried 80,761 bytes into one of those branding images was a Windows executable.
The sender domain sleafordqf[.]com is a long-established UK corporate domain belonging to a food quality company. The email was routed through Exclaimer (a signature management proxy) and Microsoft Office 365 protection relays. Authentication was flawless. The message carried a PDF supplier form, a DOCX template for the warranty renewal, and several image files used for corporate branding.
Static attachment scanners evaluated each file independently. The PDF contained no embedded JavaScript or launch actions. The DOCX had no macros. The images rendered as expected. Every file passed.
But image189059.gif, a 141,951-byte GIF file, contained something that format-specific scanning never reached. Binary analysis revealed an MZ header sequence, the magic bytes that identify a Windows Portable Executable, at byte offset ~80761. An executable payload was embedded inside the image container using steganographic techniques. The GIF rendered normally as a branding image. The PE sat silently past the boundary where image parsers stop reading.
This is MITRE ATT&CK T1027.003 (Steganography) in practice. File-type scanners classify an attachment by its header bytes or extension, then apply format-specific rules. A GIF file gets GIF inspection. If the outer container is a valid image, the scan returns clean. The executable payload hidden deeper in the binary stream falls outside the inspection window.
The attack required no macros, no exploit code in the document, and no malicious URLs. The DOCX and PDF served as legitimate cover, lowering the aggregate risk score for the entire message. The real weapon was the one file that looked like a logo.
This is also what makes supply chain delivery effective. The sender was a first-time external contact, but the domain had years of registration history and a strict DMARC policy. Reputation-based systems had no signal to act on.
See Your Risk: Calculate how many threats your SEG is missing
Themis, the IRONSCALES Adaptive AI engine, flagged the message through behavioral signals that authentication and static scanning could not evaluate. The sender had never communicated with the recipient organization before. A first-time external sender delivering multiple attachments, including images with anomalous binary characteristics, triggered quarantine across multiple mailboxes.
The detection gap here is structural. Organizations relying on gateway-level attachment scanning that stops at file-type boundaries will miss payloads embedded deeper in the binary stream. The GIF was valid. The executable inside it was invisible to any scanner that trusted the container format.
| Type | Indicator | Context |
|---|---|---|
| Sender Domain | sleafordqf[.]com | Legitimate UK food quality domain (DMARC p=reject) |
| Malicious File | image189059.gif | 141,951 bytes, valid GIF with embedded PE payload |
| PE Offset | Byte ~80761 | MZ header sequence indicating Windows executable |
| Attachments | PDF + DOCX (clean) | Legitimate supplier forms serving as cover |
| Sender Type | First-time external | No prior communication with recipient org |
| Technique | ID | Relevance |
|---|---|---|
| Obfuscated Files: Steganography | T1027.003 | PE executable hidden inside GIF image container |
| Phishing: Spearphishing Attachment | T1566.001 | Email delivery with malicious image attachment |
| User Execution: Malicious File | T1204.002 | Payload requires extraction and execution from GIF |