The email arrived on March 23, 2026 addressed to a senior finance executive at a mid-size regional bank. The display name read "Finance Team | Payment Notifier." The sending address appeared to be the bank's own calendar system. Subject line: "[IMPORTANT] Update Required: Q4 Salary Review." High priority flag. Three attachments.
Authentication? Pre-relay, it passed. SPF pass, DKIM pass, DMARC pass.
The catch is that those clean results belonged to a Hong Kong ISP account sending through its own mail infrastructure. By the time the message transited a legitimate content-disarm relay and reached Microsoft's mail protection layer, the authentication picture had inverted: SPF softfail, DKIM body-hash failure, DMARC fail. Two snapshots, one email, and neither one accurately described what the message actually was.
What it actually was: a multi-vector spearphish built to stay ahead of every automated filter the bank had deployed.
The attack arrived with three attachments. Each one served a distinct purpose.
The first was an Excel file named Vantage_Document_eric[.]thompson[.]xlsx. Upstream scanning flagged it malicious (MD5: c08b0fe953903801a319ca82c2548d83). Inside, there were no macros, no embedded URLs, no QR image. What the workbook contained instead was text: instructions telling the recipient to scan a QR code or visit the link provided in the email to access the full document. The payload lived entirely off the file. The workbook was created by openpyxl on the same day the message was sent, at 14:33 UTC, a timestamp pattern consistent with automated campaign generation.
The second attachment was a PDF labeled attachment_blocked.pdf. It was clean. It appears to have been a quarantine notice generated by the content-disarm relay, included as a delivery artifact. Its presence is notable because it adds visual legitimacy: if something was blocked by a security process, the rest of the message must have passed review. That framing is false, but it is visually persuasive.
The third was a calendar invite: "Review Required" addressed directly to the target, organized under calnder@vantage[.]bank. One letter off from calendar. The invite itself was clean on scan. Its job was not to carry a payload. Its job was to add the meeting to the executive's calendar, create an appearance of institutional process, and reinforce urgency. Credential harvesting campaigns increasingly include clean secondary vectors designed to pass all technical checks while priming the target behaviorally.
The action was in the email itself: a "View Document" button that resolved, via SafeLinks rewriting, to hxxps://t-sml[.]mtrbio[.]com/public/smartlink/onedrive-msexchange-workers-dev-email-160. The host is not affiliated with any legitimate document service. The path mimics OneDrive and Microsoft Exchange naming conventions. The domain was registered with privacy protection and sparse DNS configuration, a footprint consistent with disposable redirector infrastructure.
Understanding why this email reached the inbox requires understanding how legitimate security infrastructure can be turned against itself.
The true sending infrastructure was emailxoj@netvigator[.]com, a Hong Kong ISP. The message originated from EC2 instance 44[.]206[.]222[.]91 (PTR: ec2-44-206-222-91.compute-1.amazonaws.com) and transited through Netvigator mail relays at 210[.]87[.]247[.]43 and 218[.]102[.]23[.]13. Those Netvigator relays are legitimate. The pre-relay authentication checks passed cleanly because the message was genuinely sent through infrastructure that aligns with netvigator.com's published SPF and DKIM records.
Then the message hit Votiro, a legitimate content-disarm and reconstruction gateway. CDR gateways reprocess attachments, reconstruct message content, and re-emit the email. That process breaks DKIM body-hash alignment and can shift the apparent sending IP, producing an SPF softfail. The post-relay authentication headers accurately describe what happened at the gateway. They do not accurately describe whether the message is malicious.
DMARC and SPF failures are meaningful signals when the sending path is straightforward. When a legitimate CDR relay is in the chain, the failures are expected artifacts of sanitization. Defenders who see a technically-explained authentication failure may treat it as a cleared check rather than an unresolved question. That reasoning is exactly what this attack structure exploits.
The envelope inconsistencies were harder to explain away. The From header showed emailxoj@netvigator[.]com. The Sender field matched. But the Reply-To was set to noreply@vantage[.]bank, the bank's own domain. The List-Unsubscribe header pointed to the same address. The display name claimed to be the bank's Finance Team. None of those fields needed to agree with each other technically, and they didn't. Taken together, they painted an identity that doesn't exist: a bank-internal notification routed through a Hong Kong ISP with a mistyped calendar subdomain.
See Your Risk: Calculate how many threats your SEG is missing
IRONSCALES Themis assigned a 90% confidence verdict with labels for Credential Theft and VIP Recipient. The email was quarantined within roughly five minutes of delivery.
The signals that drove that verdict were not authentication results. Themis identified the malicious Excel verdict and correlated it with the off-document payload structure: a workbook that exists to instruct rather than infect, pointing to an external SmartLink for the actual credential capture. It identified the SmartLink host as unaffiliated with any legitimate document service and flagged the originalSrc mismatch in the HTML (the underlying source pointing back to Netvigator rather than any bank domain). It flagged the first-time sender status for the sending address despite the display name claiming internal familiarity. And it applied context to the recipient: a finance executive receiving an urgent salary document with a high-priority flag and three attachments is exactly the profile that credential harvesting campaigns are designed to exploit.
The IRONSCALES platform uses behavioral pattern analysis rather than authentication-pass/fail logic as its primary decision layer. That distinction is what allowed Themis to reach a verdict here while gateway-level controls were still reconciling the relay artifacts.
According to Verizon's DBIR, phishing remains the leading initial access vector in confirmed breaches. This attack demonstrates why authentication-centric defenses are not sufficient against sophisticated campaigns. Three specific patterns here deserve attention.
First: macro-free malicious documents. The FBI IC3 Internet Crime Report 2024 notes continued growth in BEC and credential theft schemes that bypass technical payload detection entirely. An Excel file with no macros, no embedded URLs, and no scripts will pass most attachment scanners. If the file's malicious function is entirely social (instruction delivery), technical scanning returns clean verdicts on a file that is genuinely part of an attack chain. Per MITRE ATT&CK T1204.002, user execution of malicious files remains a primary technique precisely because social engineering outperforms technical evasion at scale.
Second: CDR relay authentication laundering. This is not a flaw in CDR technology. CDR gateways do what they are designed to do. The issue is that authentication results downstream of a CDR relay are artifacts of the sanitization process, not clean verdicts on the original message. Detection logic that weights post-CDR authentication results as strongly as direct-path results will produce false confidence.
Third: multi-vector packaging. The Excel file, the calendar invite, and the redirect link are each individually ambiguous. The calendar invite is clean. The PDF is a legitimate gateway artifact. The link passed initial scanning. The Excel file was flagged malicious. Individually, most of these signals are insufficient to trigger automated quarantine. Together, they form a coordinated attack. The Microsoft Digital Defense Report 2024 documents this pattern: sophisticated campaigns use layered lure elements specifically to distribute risk across vectors that would each individually score below alert thresholds.
MITRE ATT&CK T1566.001 (Spearphishing Attachment) and T1566.002 (Spearphishing Link) were both active here, alongside T1204.002. The attack did not rely on a single vector. Neither should detection.
| Type | Indicator | Context |
|---|---|---|
emailxoj@netvigator[.]com | Actual sending address, Hong Kong ISP | |
| Domain | calnder@vantage[.]bank | Typo-squatted display sender (one transposed letter) |
| IP | 44[.]206[.]222[.]91 | EC2 instance, original sending IP |
| IP | 210[.]87[.]247[.]43 | Netvigator relay (PTR: wbironout4b.netvigator.com) |
| IP | 151[.]241[.]154[.]219 | Additional relay hop |
| URL | hxxps://t-sml[.]mtrbio[.]com/public/smartlink/onedrive-msexchange-workers-dev-email-160 | SmartLink redirect, credential-harvesting endpoint |
| File | Vantage_Document_eric[.]thompson[.]xlsx | Malicious Excel, MD5: c08b0fe953903801a319ca82c2548d83 |
| File | Review Required [...].ics | Weaponized calendar invite, typo-squatted organizer |
The CISA advisory landscape has consistently highlighted the use of legitimate relay and redirect infrastructure in phishing campaigns. This case follows that pattern precisely: every individual component, except the Excel file, passed its own technical check. The attack only becomes visible when all the components are evaluated together, in context, against the recipient's profile and the sender's behavior history.
Relying on any single verdict source to protect a VIP inbox in a financial institution is not a strategy. It is a gap.