The email contained two lines. A username: armetcomark. A new password: 5afb8ee8. That was it. No links to click. No attachments to open. No images, no branding, no call to action. The subject line referenced a real commercial software product. The message headers carried artifacts from a mailbox migration dated 2008. Somewhere between a compromised archive and a modern inbox, a message that should never have been delivered arrived with real credentials in plain text.
The body of the email was two lines of plain text. "Username: armetcomark" and "New Password: 5afb8ee8." No HTML formatting. No embedded images. No tracking pixels. No URLs in the body, headers, or MIME structure. No attachments of any kind.
This is a detection blind spot by design. Every email security tool evaluates content: URLs are checked against reputation databases, attachments are scanned for malware, HTML is inspected for phishing indicators. When there is no content to evaluate, there is nothing to flag. The email passes through credential stuffing defenses, link scanners, attachment sandboxes, and content filters without triggering any of them, because there is nothing for any of them to inspect.
The subject line referenced "EnRoute - SA International," a real signage and print production software product. This added a veneer of legitimacy: someone receiving this email who recognized the product name might interpret it as a legitimate credential delivery for a software account.
The message headers contained anomalies that no commercial email should carry. A MigrationWiz-UID header indicated the message had passed through a mailbox migration tool. The original Date header was set to March 28, 2008, nearly 18 years before the email was delivered.
This combination suggests the message was extracted from an archived mailbox, either during a legitimate migration that was subsequently compromised, or from a breached mail server where archived messages were harvested and re-sent. The credentials in the body may have been valid at the time of the original message. Whether they are still valid depends on whether the associated accounts have been rotated.
The sender, esales@scanvecamiable[.]com, had SPF configured for the domain, confirming the sending IP was authorized. But there was no DKIM signing, meaning no cryptographic proof that the message was not modified in transit. There was no DMARC policy, meaning the receiving server had no enforcement instructions for authentication failures.
WHOIS for scanvecamiable[.]com was privacy-protected. The sender was a first-time contact with no prior communication history, classified as high-risk. The partial authentication, combined with migration artifacts and a message body consisting entirely of exposed credentials, created an anomaly profile that Themis evaluated as a behavioral threat. The message was flagged and quarantined.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender | esales@scanvecamiable[.]com | First-time sender, privacy WHOIS |
| Auth Results | SPF: present, DKIM: none, DMARC: none | Partial authentication only |
| Body Content | Username: armetcomark, Password: 5afb8ee8 | Plaintext credentials, no links or attachments |
| Subject Reference | EnRoute - SA International | Real commercial software product |
| Migration Header | MigrationWiz-UID present | Mailbox migration artifact |
| Original Date | March 28, 2008 | 18-year-old message re-sent |
| Payload | None | Zero links, zero attachments, zero images |
| Technique | ID | Relevance |
|---|---|---|
| Gather Victim Identity Information: Credentials | T1589.001 | Plaintext credentials delivered in email body |
| Valid Accounts | T1078 | Exposed username and password may enable account access |
| Compromise Accounts: Email Accounts | T1586.002 | Migration artifacts suggest compromised archived mailbox |
| Attack | What happened |
|---|---|
| No Links. No Attachments. Just a Polite Request for Every Employee's W-2. | An email requesting complete W-2 forms for all employees contained zero links, zero attachments, and zero malicious indicators. |
| The Webinar Invite That Came With an Apple Wallet Pass and a Three-Hop Redirect Chain | A Google Calendar invite for a fake AI webinar passed full authentication and carried an .ics file, an Apple Wallet .pkpass. |
| The Bank Statement You Had to Unlock With Your Birthday: PII-Gated PDF Evasion From Authenticated Infrastructure | A fully authenticated email from banking infrastructure delivered a password-protected PDF that required the recipient's mobile number and date of birth... |
| The Spreadsheet That Arrived Twice: CR/LF Filename Obfuscation and a Base64 Shadow Payload | A clinical data report arrived as a .xlsx with CR/LF control characters in the filename and a companion .b64 base64 payload. |
| When the Sender Domain Is Also the Phishing Kit Host: Dual-Purpose Domain Compromise | An attacker compromised a legitimate manufacturing company domain and used it two ways at once: as the authenticated sending address and as the host for... |