TL;DR A consumer Gmail account sent a forwarded order confirmation with an image attachment that passed through a Votiro Content Disarm and Reconstruction gateway and reached the recipient with a clean verdict. The file was declared as PNG but contained JPEG magic bytes (FFD8FF), a file-type mismatch used to confuse format-specific parsers. Deep binary analysis found Windows PE executable signatures (MZ headers) embedded at three separate offsets within the image data. The CDR gateway, designed to strip executable content from files, either could not detect the signatures within compressed image streams or treated image files as passthrough. SPF, DKIM, and DMARC passed at the Google edge but SPF softfailed after the Votiro relay, an expected side effect of CDR forwarding.
Severity: High Malware Delivery Scanner Evasion File Type Masquerading MITRE: {'id': 'T1566.001', 'name': 'Phishing: Spearphishing Attachment'} MITRE: {'id': 'T1036.008', 'name': 'Masquerading: Masquerade File Type'} MITRE: {'id': 'T1027.009', 'name': 'Obfuscated Files or Information: Embedded Payloads'}
A forwarded order confirmation. A Shopify receipt with product images hosted on cdn[.]shopify[.]com. An image attachment that every scanner in the delivery chain cleared as safe. Inside that image, three sets of Windows PE executable signatures sitting at distinct binary offsets, undetected by a Content Disarm and Reconstruction gateway built specifically to strip this kind of content.
The email arrived from [sender]@gmail[.]com, a consumer Gmail account with no prior relationship to the target organization. It carried a transactional order confirmation (subject: "Order confirmed - F46663B997BB") formatted as a forwarded receipt with product line items, order identifiers, and bank statement images showing charges of $4.99, $89.97, and $90.87. The merchant descriptor "SHOWROOMOUSA" on the statement images did not match the storefront identity in the receipt, a subtle inconsistency that most recipients would overlook.
The CDR Gateway That Let Executables Through
The email transited Google's SMTP infrastructure with full SPF, DKIM, and DMARC authentication at the Google edge. It was then relayed through a Votiro CDR gateway (votiro-relay2[.]prod[.]votiro[.]com, IP 44[.]206[.]222[.]91). After the relay, SPF produced a softfail, an expected result because the Votiro relay IP is not listed in Gmail's SPF record. DKIM and DMARC alignment were maintained through ARC (Authenticated Received Chain) headers, preserving the original authentication state for downstream evaluation.
Votiro's CDR technology is designed to deconstruct files, strip executable content, and rebuild clean versions. The attached image file passed through this process and emerged with a clean verdict. What the CDR missed is the core of this case.
The primary attachment, gmail_images20260520_192822.png (MD5: f15ead141650ca43d82fb31404f6a9c9), was declared as a PNG file. Binary inspection told a different story. The file contained JPEG magic bytes (FFD8FF) rather than the PNG signature (89504E47). This is file-type masquerading: the extension says PNG, the actual binary format says JPEG. Security tools that select their parser based on the declared file type may never invoke JPEG-specific analysis, leaving the file's internal structure uninspected.
Deeper extraction revealed the real problem. Windows PE executable signatures, the MZ magic bytes (4D 5A) that begin every Windows executable, appeared at three separate offsets within the file: 194502, 221808, and 408198. No ZIP (PK) signatures were present. No strong evidence of LSB steganography was found. The MZ signatures could represent fragmented executable code embedded within compressed image data, or they could serve as an assembly staging mechanism where an extractor reconstitutes the fragments into a working binary. Either interpretation is concerning. The Verizon 2024 Data Breach Investigations Report documents the continued prevalence of malicious attachments as an initial access vector, with file-type manipulation among the techniques attackers use to evade automated scanning.
The initial pipeline verdict on this file was "Clean."
See Your Risk: Calculate how many threats your SEG is missing
Why the CDR Gap Matters
Content Disarm and Reconstruction is positioned as a defense-in-depth layer that neutralizes embedded threats regardless of detection. The premise is that CDR does not need to identify malware; it strips all potentially executable content and rebuilds a safe version. In this case, two possibilities explain why the MZ signatures survived transit:
- Compressed image stream bypass. The executable signatures were embedded within the JPEG compressed data stream in a way that CDR's reconstruction logic could not isolate. If the CDR engine treats compressed image pixel data as opaque binary, it would not scan for executable markers within that stream.
- Image passthrough policy. The CDR gateway may apply full reconstruction to document formats (PDF, Office, HTML) but treat standard image formats as low-risk passthrough. If images are not deconstructed and rebuilt, any embedded content survives intact.
Both scenarios represent a gap in the CDR model. The SEG augmentation challenge here is not that the CDR failed to run. It ran, processed the file, and returned it as clean. The gap is architectural: the technology's coverage assumptions did not account for executable content hiding inside compressed image data with a mismatched file-type declaration.
A Second Attachment and No Malicious Links
A second image file, gmail_images20260520_192737.png (MD5: 34c36a3fa7738a9584da90b75d74370b), was also attached. It was also declared as PNG but contained JPEG signatures. Both files included financial statement imagery with visible transaction details, positioning the email as a legitimate banking or e-commerce communication.
The email body contained no malicious links, no credential forms, no urgency language, and no redirect chains. Every URL in the body pointed to cdn[.]shopify[.]com for product images. The absence of traditional phishing indicators made this email invisible to link-scanning and URL-reputation systems. The entire payload was in the attachments.
How Detection Worked
The sender was flagged as HIGH risk in the incident data despite the clean attachment verdict. Adaptive AI evaluated signals that file scanning could not: the consumer Gmail origin with no sender history, the mismatch between a transactional receipt format and the actual attachment content, and community intelligence showing similar image-based delivery patterns across multiple tenants. The combination of behavioral analysis and cross-tenant pattern matching created the detection surface that CDR and authentication could not provide.
This case maps to MITRE ATT&CK T1027.009 (Embedded Payloads), where executable content is concealed within a carrier file that recipients and scanners expect to be benign. The file-type mismatch adds T1036.008 (Masquerade File Type), using a PNG extension on JPEG content to misdirect format-specific parsers.
For organizations running CDR in their email pipeline, this case warrants a review of image file handling policies. If CDR treats images as passthrough, it creates a channel that attackers can use to deliver binary content inside file types that appear low-risk. Binary-level inspection of image attachments, particularly those with file-type mismatches, should not be excluded from the reconstruction scope.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sender Email | [sender]@gmail[.]com | Consumer Gmail, no prior relationship |
| Relay Host | votiro-relay2[.]prod[.]votiro[.]com | Votiro CDR gateway |
| Relay IP | 44[.]206[.]222[.]91 | Votiro relay infrastructure |
| Hash (MD5) | f15ead141650ca43d82fb31404f6a9c9 | Primary image with 3 embedded PE signatures |
| Hash (MD5) | 34c36a3fa7738a9584da90b75d74370b | Secondary image with JPEG/PNG mismatch |
| Order ID | F46663B997BB | Attacker-generated order identifier |
| Merchant | SHOWROOMOUSA | Merchant descriptor on statement images |
| PE Offsets | 194502, 221808, 408198 | MZ signature locations in primary image |
MITRE ATT&CK Mapping
| Technique | ID | Relevance |
|---|
| Spearphishing Attachment | T1566.001 | Image file with embedded PE signatures delivered via email |
| Masquerade File Type | T1036.008 | PNG-declared file containing JPEG magic bytes to misdirect parsers |
| Embedded Payloads | T1027.009 | Windows PE executable signatures at three offsets inside image data |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
