The subject line promised credentials for a sustainable growth fund. The email arrived through Italy's government-certified PEC infrastructure, the system reserved for legally binding correspondence. The attachment was a 15,382-byte smime.p7m file, a PKCS#7 cryptographic container that the scanner evaluated from the outside, marked clean, and never opened.
Posta Elettronica Certificata is not just another email provider. It is Italy's mandated system for official electronic correspondence, carrying legal weight equivalent to registered mail. Government agencies, banks, law firms, and businesses are required to use PEC for binding communications. When a message arrives through PEC relays, recipients treat it with a level of trust that no commercial email service commands.
This message traversed multiple PEC domains: postacertificata.mcc[.]it, postecert[.]it, and pec.posteventi[.]com. SPF passed for the PEC relay infrastructure. DKIM passed. But the originating domain published no DMARC policy, returning DMARC=none. That gap meant authentication failures would carry no enforcement consequences, but the SPF and DKIM passes created enough surface-level credibility to satisfy most gateway policies.
The subject line, "Credenziali di accesso Fondo di Crescita Sostenibile," referenced Italy's Sustainable Growth Fund, a real government economic program. The lure was not generic phishing. It was tailored to an audience that would recognize the fund by name and expect credential delivery through certified channels.
The payload arrived as an smime.p7m attachment, 15,382 bytes of PKCS#7-encoded content. S/MIME containers are designed for cryptographic signing and encryption of email messages. They are standard, expected, and trusted in enterprise and government communications.
The problem is that most email scanners treat smime.p7m as a single binary object. They can check the outer container against known malware hashes and apply basic reputation scoring, but they cannot always extract the inner payload for content analysis. This is sandbox evasion without a sandbox: the cryptographic wrapper itself prevents inspection. The scanner marked the attachment clean because it evaluated the container, not the contents.
The attack combined two elements that individually would raise minimal suspicion. PEC infrastructure provided institutional legitimacy. The S/MIME wrapper provided a technical barrier to content inspection. Together, they created a message that looked official, passed authentication (minus DMARC enforcement), and carried a payload that could not be fully analyzed.
The behavioral signals told a different story: a credential delivery for a government fund arriving from PEC infrastructure with no prior sender relationship, carrying an attachment format that specifically prevents content extraction. Themis evaluated these contextual mismatches and flagged the message for quarantine.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| PEC Relay | postacertificata.mcc[.]it | Italian certified email relay |
| PEC Relay | postecert[.]it | PEC infrastructure domain |
| PEC Relay | pec.posteventi[.]com | PEC event notification domain |
| Attachment | smime.p7m (15,382 bytes) | PKCS#7 S/MIME container |
| Subject | Credenziali di accesso Fondo di Crescita Sostenibile | Italian sustainable growth fund credential lure |
| Auth Results | SPF: pass, DKIM: pass, DMARC: none | No DMARC enforcement policy |
| Scanner Verdict | Attachment marked clean | Inner payload not extracted |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Attachment | T1566.001 | S/MIME container delivered as email attachment |
| Obfuscated Files or Information | T1027 | PKCS#7 wrapper prevents content extraction by scanners |
| Masquerading: Match Legitimate Name or Location | T1036.005 | PEC certified email infrastructure lends government-level trust |
| Attack | What happened |
|---|---|
| The Bank Statement You Had to Unlock With Your Birthday: PII-Gated PDF Evasion From Authenticated Infrastructure | A fully authenticated email from banking infrastructure delivered a password-protected PDF that required the recipient's mobile number and date of birth... |
| The Encrypted PDF From a Reuters Lookalike Domain, Sent Through Amazon SES | A phishing email from a Reuters lookalike domain delivered an AES-encrypted PDF with AcroForm fields through Amazon SES. |
| The FedEx Email Was Real, the PDF Was an Image, and the Sandbox Saw Nothing | A pre-arrival notification from legitimate FedEx infrastructure carried an image-based PDF that contained no extractable text. |
| The Webinar Invite That Came With an Apple Wallet Pass and a Three-Hop Redirect Chain | A Google Calendar invite for a fake AI webinar passed full authentication and carried an .ics file, an Apple Wallet .pkpass. |
| Password-Protected PDFs Are the New Sandbox Killer: How a Compromised .gov Account Delivered an Unopenable Payload | A compromised government education account sent a password-protected PDF with the passcode in the email body, bypassing every automated scanner. |