No links. No attachments. No tracking pixels. No credential-harvesting forms. Just a short, professional-sounding email that asks the recipient to type two characters and hit send. "Reply YES" is the entire payload.
This message arrived at a metal fabrication company from a Hotmail address. The sender presented as a website optimization consultant who had "spotted 2 to 3 issues" on the recipient's website that could be limiting contact form submissions. The ask: reply YES to receive a free audit. No redesign, no big cost. The tone was friendly, low-pressure, and deliberately non-threatening.
SPF passed, DKIM passed for hotmail[.]com, DMARC passed. The message routed through Microsoft's Outlook protection infrastructure with composite authentication confirmed. From a technical authentication standpoint, this email is indistinguishable from any legitimate Hotmail message.
Microsoft's own antispam heuristics caught it anyway. SCL=5, categorized as SPM (spam), and quarantined. Multiple antispam signature matches triggered despite the absence of any traditional payload.
The absence of a malicious payload is not the absence of a threat. It is a deliberate design choice. By stripping the email of every scannable indicator, the attacker creates a message that traditional secure email gateways have no mechanism to evaluate. URL reputation scanners have no URLs to check. Sandbox detonation engines have no attachments to open. Content filters see a short, grammatically correct business pitch.
The attack begins when the recipient replies. That reply confirms an active mailbox, provides the recipient's name and email signature, and, most critically, establishes a conversational thread. Follow-up messages arrive in the same thread, inheriting the perceived legitimacy of an ongoing conversation. The attacker can then escalate through several vectors: sending a malicious link disguised as the promised audit, requesting access credentials to "review" the website, pivoting to invoice fraud, or asking the recipient to install remote access software.
The sender's minimal signature (first name only, no company, no contact details, no verifiable domain) is itself an indicator. Legitimate consultants provide business context. The absence of verifiable identity makes it impossible for the recipient to independently verify the offer, which is exactly the point.
The choice of a metal fabrication company is not random. Small and mid-sized manufacturing firms often lack dedicated security operations teams. Their info@ and sales@ addresses are publicly listed and rarely monitored by security tooling. These mailboxes are ideal targets for reply-based scams because the employees who check them are customer-facing and conditioned to respond to business inquiries.
Community threat intelligence and automated classification flagged this pattern as consistent with vendor-scam phishing, with confidence scores reflecting the behavioral match to known campaigns.
See Your Risk: Calculate how many threats your SEG is missing
When there is nothing to scan, there is nothing for traditional tools to find. This is the fundamental limitation of payload-centric detection. An email with clean authentication, no links, and no attachments produces a clean verdict from every static scanner in the pipeline.
Themis, the IRONSCALES Adaptive AI, shifts the analysis from what the message contains to what the message does. First-time sender, free-webmail origin, cold-outreach tone, reply-based CTA, and absence of verifiable business identity are all behavioral signals that compound into a high-risk assessment. The system evaluates the pattern of the message, not just its components.
The IRONSCALES community-driven threat intelligence network accelerates detection of these campaigns. When multiple organizations report similar "Reply YES" patterns from free-webmail addresses, the collective signal identifies the campaign before individual recipients engage. Research shows that 67.5 phishing emails per 100 mailboxes per month bypass traditional secure email gateways. Zero-payload social engineering accounts for a growing share of that volume precisely because it exploits the blind spot in payload-centric detection.
| Indicator | Type | Context |
|---|---|---|
hotmail[.]com | Domain | Sender domain, free Hotmail account |
hotmail[.]com | Domain | Sender domain (DKIM signing domain) |
| Attack | What happened |
|---|---|
| Vendor Scam Uses Salesforce Marketing Cloud to Target Executive Mailboxes | A freshly registered domain paired with Salesforce Marketing Cloud infrastructure delivered a polished vendor pitch directly to an executive mailbox. |
| The Webinar Invite That Came With an Apple Wallet Pass and a Three-Hop Redirect Chain | A Google Calendar invite for a fake AI webinar passed full authentication and carried an .ics file, an Apple Wallet .pkpass. |
| The Bank Statement You Had to Unlock With Your Birthday: PII-Gated PDF Evasion From Authenticated Infrastructure | A fully authenticated email from banking infrastructure delivered a password-protected PDF that required the recipient's mobile number and date of birth... |
| The Spreadsheet That Arrived Twice: CR/LF Filename Obfuscation and a Base64 Shadow Payload | A clinical data report arrived as a .xlsx with CR/LF control characters in the filename and a companion .b64 base64 payload. |
| A 16-Day-Old Domain, Zero Links, and One Phone Number: Anatomy of a Pure TOAD Attack | A phishing email with zero links, zero attachments, and zero malicious URLs reached four mailboxes at a healthcare organization. |