The Bank Statement You Had to Unlock With Your Birthday: PII-Gated PDF Evasion From Authenticated Infrastructure

The attachment scanned clean. The email passed SPF, DKIM, and DMARC. The sending infrastructure traced back to servers consistent with a real banking institution's mail configuration. The sender IP geolocated to India, matching the bank's operating region. Every automated check agreed this message was safe.

The PDF was encrypted. That was the point.

Authenticated Infrastructure, Weaponized Attachment

The message arrived from alerts.sbi.bank[.]in, relayed through a host named d37-smtp-out-in.alerts.sbi[.]co[.]in at IP 175.158.69[.]37. SPF passed. DKIM passed for both the bank's alert domain and a secondary commercial mailer domain. DMARC passed. The relay metadata showed the message was sent via NetcoreCloud Mailer (Pepipost), a legitimate third-party email delivery platform used by large organizations for transactional messaging.

The email addressed the recipient by name and referenced account-specific identifiers. It instructed the recipient to open an attached PDF using a password constructed from "the last five digits of your mobile number plus your date of birth in DDMMYY format." The example password provided in the message did not match this formula, an inconsistency that would be invisible to most recipients scanning the email quickly but obvious to anyone who tried to verify the math.

What the Scanner Could Not See

The attachment, a 42KB PDF encrypted with Standard PDF encryption (PDF 1.4), returned a "clean" verdict from automated scanning. That verdict was accurate for what the scanner could evaluate: the unencrypted envelope of the file contained no exposed JavaScript tokens or visible URIs. Everything potentially malicious lived behind the encryption barrier, accessible only to someone who entered the password.

This is the fundamental asymmetry of PII-gated attachment evasion. The human recipient has the information needed to open the file. The scanner does not. The password instruction in the email body normalizes the act of combining personal data to access a document, conditioning the recipient to provide more PII if the opened PDF requests it.

The Domain That Looked Right

The email contained a link to cms.onlinesbi[.]com/CMS/, presented as the bank's online portal. The domain onlinesbi[.]com was registered in 2000, giving it the appearance of legitimacy through age alone. But the bank's official portal operates at onlinesbi.sbi.bank[.]in. The look-alike domain follows the same naming convention without being the actual destination, a distinction that authentication protocols were never designed to evaluate.

Themis flagged the message on the combination of PII-password instructions, domain mismatch between the sender and embedded links, and the encrypted attachment that blocked inspection. The mailbox was quarantined automatically.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping