When Amazon SES Carries the Malware: HR Impersonation and a Confirmed-Malicious PDF

The email looked like it came from HR. The display name said so. The subject warned of immediate executive changes to benefits policies and named a review deadline that had already passed. Tucked inside was a PDF -- confirmed malicious by hash before anyone opened it.

The message never failed a single authentication check.

The Impersonation Layer: A Display Name Does All the Work

The technique is as old as display names themselves: set the visible sender to something that reads like an internal authority figure, put the actual envelope address on a domain you control or have compromised, and let the email client do the rest. Most clients surface only the display name in the inbox view. The domain never appears unless the recipient clicks to expand.

Here, the display name mimicked internal HR at the target organization -- a Fortune 500 automaker. The actual sending address was admin@sofocam-group[.]com, a domain with no connection to the employer's email infrastructure. The mismatch only becomes visible on inspection.

The attacker reinforced the illusion in two ways. First, the subject line opened with a misspelled word ("Confidencial") and referenced a review deadline that had already elapsed -- hallmarks of pressure-in-motion lures designed to provoke urgency before the reader can evaluate the source. Second, a List-Unsubscribe header inside the message pointed to an internal domain address -- a small but calculated detail that makes the message appear organizationally affiliated when parsed by email clients that surface that header.

This is Business Email Compromise tradecraft applied to malware delivery: borrow an internal identity, build urgency, and get the target to open the file before they check the sender.

The Infrastructure: Laundering Legitimacy Through Amazon SES

The sending IP resolved to a27-115.smtp-out.us-west-2.amazonses[.]com -- an Amazon Simple Email Service (SES) outbound relay in the US-West-2 region. The attacker had configured a sending identity under sofocam-group[.]com and published valid DKIM records for that domain. Amazon also co-signs outbound messages with its own DKIM key. Both signatures verified.

The full authentication picture at delivery:

• SPF: pass -- the sending IP is an authorized Amazon SES endpoint
• DKIM: pass for both sofocam-group[.]com and amazonses.com
• DMARC: pass on sofocam-group[.]com
• Microsoft Composite Auth (compauth): pass, reason 100

Every gate a Secure Email Gateway relies on for "safe" verdicts returned green. The message landed in the recipient's mailbox with a Spam Confidence Level of 1 (low risk by Microsoft's classifier).

This is the core thesis: a reputable cloud ESP functions as a trust launderer. The attacker did not need to own a high-reputation IP or age a domain into deliverability. They opened an SES account, pointed DKIM at sofocam-group[.]com, and inherited Amazon's sending infrastructure reputation. Phishing delivered this way is nearly indistinguishable from bulk legitimate mail at the authentication layer.

See Your Risk: Calculate how many threats your SEG is missing

The Verizon 2026 DBIR notes that roughly 10% of malware arrives via email attachments -- a figure that understates cloud-delivered payloads, where authentication laundering makes the delivery vehicle look clean. The FBI IC3 2024 Annual Report records over $2.7 billion in BEC losses, with social-engineering tactics like HR impersonation among the most effective vectors. MITRE ATT&CK T1566.001 -- Spearphishing Attachment -- specifically covers this pattern: a weaponized file delivered via email to produce code execution or credential access.

The Payload: A 200 KB PDF With a Confirmed-Malicious Hash

The attachment, 4da5a6737f93d3ebef41.pdf, is 199,733 bytes -- roughly 200 KB. That size is consistent with a PDF containing embedded objects, scripts, or resource streams beyond simple text. The platform's hash-based scanner returned a malicious verdict before any behavioral detonation was needed.

The confirmed hash:

`` MD5: 25b699013231b1ac6635b87288405e1b ``

File: 4da5a6737f93d3ebef41.pdf

Hash matching is deterministic: this exact file had been seen before and marked malicious. No redirect, no domain rotation, and no filename change can alter a file's hash. The attachment scanner's verdict is the clearest signal in this incident -- it confirms the payload, independent of every other indicator.

Because the deeper static extractor could not retrieve the stored PDF artifact for further parsing, the specific exploit mechanism (embedded JavaScript launch action, URI handler abuse, shellcode stream) cannot be confirmed from available data. Defenders should treat the file as a potential drive-by exploit vehicle and submit it to an offline sandbox for behavioral analysis.

The campaign reached multiple senior executives at the organization across separate mailboxes within the same delivery window, consistent with a targeted, multi-recipient run against a list of high-value individuals.

Why This Bypassed the SEG

The attack stacked four bypass factors simultaneously:

1. Authentication pass -- SES-relayed messages with valid DKIM and SPF alignment don't generate authentication-based blocks.
2. Display-name impersonation -- DMARC protects the From: domain, not the display name. An attacker who controls sofocam-group[.]com can write any display name they choose while still passing DMARC.
3. New sender, no prior reputation -- The sending address had no established relationship with the organization, but that absence cuts both ways: no negative history either.
4. Attachment evasion -- Many cloud SEGs do not maintain live hash reputation databases against known-bad PDFs or rely on behavioral sandboxing that can be bypassed. A hash match requires a prior record of that exact file.

Detection and Response

IRONSCALES' Phishing SOC Agent analysis correlated the attachment hash verdict with behavioral sender signals -- first-time sender to this organization, display-name/domain mismatch, high sender risk score, no prior send-to-organization history -- and automatically resolved the incident as phishing across all affected mailboxes. The mitigation timestamps in the incident record show the analysis and reversal completed within minutes of delivery, before any recipient interaction was recorded.

The CISA phishing guidance recommends treating any unsolicited attachment from an unverified sender as suspect regardless of authentication status. That principle applies doubly when the sender's display name claims an internal identity the domain cannot support.

Themis, IRONSCALES' Adaptive AI, surfaces the anomaly pattern -- a display name that does not match the sending domain, originating from a first-time sender via a cloud relay -- as part of its behavioral analysis layer. Authentication results feed into that analysis but do not override it. A passing DMARC is evidence of domain alignment, not identity trustworthiness.

Defensive Takeaways

• Do not treat authentication results as identity verification. SPF, DKIM, and DMARC validate the sending domain -- they say nothing about whether the display name accurately represents the sender. Implement display-name controls that flag messages claiming to be from internal departments when the domain is external.
• Maintain hash reputation for known-malicious files. A confirmed-bad hash is a durable, evasion-resistant signal. Platforms that rely solely on sandbox detonation or URL scanning miss payload reputation matches.
• Apply additional scrutiny to cloud ESP originators. Messages sourced from SES, SendGrid, Mailgun, and similar services can produce perfect authentication results for any sending domain. Treat SES-originated messages targeting internal impersonation as a detection gap without behavioral analysis.
• Correlate sender identity signals. First-time sender, high sender risk, display-name/envelope mismatch, and a past-deadline urgency lure are individually ignorable. Together, they define this attack's signature.

---

Indicators of Compromise

---

MITRE ATT&CK