The Italian Certified Email That Wrapped Its Payload in S/MIME

The subject line promised credentials for a sustainable growth fund. The email arrived through Italy's government-certified PEC infrastructure, the system reserved for legally binding correspondence. The attachment was a 15,382-byte smime.p7m file, a PKCS#7 cryptographic container that the scanner evaluated from the outside, marked clean, and never opened.

PEC Infrastructure as a Trust Anchor

Posta Elettronica Certificata is not just another email provider. It is Italy's mandated system for official electronic correspondence, carrying legal weight equivalent to registered mail. Government agencies, banks, law firms, and businesses are required to use PEC for binding communications. When a message arrives through PEC relays, recipients treat it with a level of trust that no commercial email service commands.

This message traversed multiple PEC domains: postacertificata.mcc[.]it, postecert[.]it, and pec.posteventi[.]com. SPF passed for the PEC relay infrastructure. DKIM passed. But the originating domain published no DMARC policy, returning DMARC=none. That gap meant authentication failures would carry no enforcement consequences, but the SPF and DKIM passes created enough surface-level credibility to satisfy most gateway policies.

The subject line, "Credenziali di accesso Fondo di Crescita Sostenibile," referenced Italy's Sustainable Growth Fund, a real government economic program. The lure was not generic phishing. It was tailored to an audience that would recognize the fund by name and expect credential delivery through certified channels.

The S/MIME Wrapper That Scanners Cannot Open

The payload arrived as an smime.p7m attachment, 15,382 bytes of PKCS#7-encoded content. S/MIME containers are designed for cryptographic signing and encryption of email messages. They are standard, expected, and trusted in enterprise and government communications.

The problem is that most email scanners treat smime.p7m as a single binary object. They can check the outer container against known malware hashes and apply basic reputation scoring, but they cannot always extract the inner payload for content analysis. This is sandbox evasion without a sandbox: the cryptographic wrapper itself prevents inspection. The scanner marked the attachment clean because it evaluated the container, not the contents.

Institutional Trust Meets Inspection Gaps

The attack combined two elements that individually would raise minimal suspicion. PEC infrastructure provided institutional legitimacy. The S/MIME wrapper provided a technical barrier to content inspection. Together, they created a message that looked official, passed authentication (minus DMARC enforcement), and carried a payload that could not be fully analyzed.

The behavioral signals told a different story: a credential delivery for a government fund arriving from PEC infrastructure with no prior sender relationship, carrying an attachment format that specifically prevents content extraction. Themis evaluated these contextual mismatches and flagged the message for quarantine.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping