Spanish-Language Judicial Impersonation Exploits CDR Relay Trust to Deliver Advance-Fee Fraud

A Spanish-language email arrived at a U.S. financial institution claiming to carry a judicial power of attorney. The subject line referenced a Mexican court proceeding. The body named a bank account number. Three PDF attachments contained what appeared to be identity documents and a legal filing. Every attachment scanned clean. Every authentication check failed. The message landed in the inbox anyway.

This is what advance-fee fraud looks like when it skips the Nigerian prince template and speaks the language of the target.

The Attack Chain

The email originated from a free Hotmail account (sgcmy@hotmail[.]com) and targeted two employees at the victim financial institution. The sender, using a Hispanic name, wrote in fluent Mexican Spanish and referenced a specific legal mechanism: a poder judicial (judicial power of attorney) allegedly granting one individual authority over a relative's financial interests.

The body was four lines:

1. A greeting ("Buenas tardes")
2. A claim that the attached power of attorney authorized a named individual to manage her aunt's financial affairs
3. A bank account number at the victim institution
4. A closing ("Gracias por sus atenciones")

Three PDF attachments accompanied the message: a copy of the purported judicial power of attorney (2.4 MB) and two copies of a Mexican national identity card (INE) for the individuals referenced in the body.

No links. No credential harvesting forms. No malware. The entire payload was social engineering, and the documents themselves were the weapon.

How Authentication Broke and the Message Still Delivered

The original message left Hotmail's infrastructure with full authentication intact. At the second relay hop, Microsoft's own ARC records confirm SPF pass, DKIM pass, and DMARC pass (compauth=100). The message was legitimate Hotmail traffic at that point.

Then it hit the organization's content disarm and reconstruction (CDR) relay. The CDR service, running on AWS EC2 infrastructure (44[.]206[.]222[.]91, PTR: ec2-44-206-222-91[.]compute-1[.]amazonaws[.]com), sanitized the attachments and re-submitted the message to the recipient's Exchange Online tenant.

That re-submission broke everything:

Under normal circumstances, a message with triple authentication failure would face scrutiny. But the CDR relay's IP was on the organization's allow list. The Spam Confidence Level (SCL) was set to -1, which in Exchange Online means "skip spam filtering entirely." The message bypassed every reputation and authentication gate and landed directly in the inbox.

Why This Attack Works

Language as an evasion layer. Most phishing detection models are trained predominantly on English-language corpora. Spanish-language social engineering, particularly using jurisdiction-specific legal terminology like poder judicial and referencing Mexican identity documents (INE), falls outside the pattern libraries that flag English BEC and advance-fee templates. The Microsoft Digital Defense Report 2024 notes the increasing use of non-English lures to evade NLP-based detection.

Documents as payload. The three PDFs contained no malicious code, no embedded links, no JavaScript, no AcroForm exploits. They scanned clean because they were clean files. The fraud is in what they represent: forged or stolen identity documents designed to convince a bank employee to grant account access to an unauthorized party. Traditional attachment scanning looks for technical threats. It has no model for document authenticity.

CDR trust exploitation. The CDR relay did exactly what it was designed to do: sanitize attachments and forward them. But the architectural side effect of breaking authentication, combined with allow-list trust, created a blind spot where authenticated and unauthenticated mail became indistinguishable. The CDR relay effectively laundered the message's reputation.

First-time sender targeting. The attacker sent to two specific employees by name at the financial institution, both with Hispanic surnames, using a culturally appropriate greeting and closing. This level of targeting suggests reconnaissance: the attacker knew who handled account management for Spanish-speaking clients.

MITRE ATT&CK Mapping

Indicators of Compromise

What Defenders Should Take Away

The FBI IC3 2024 report documents $2.77 billion in BEC losses, but the category understates the risk by focusing on English-language patterns. The IBM Cost of a Data Breach Report pegs the average social engineering breach at $4.77 million. According to the Verizon DBIR, social engineering remains the top action variety in breaches, and pretexting (which this attack exemplifies) has overtaken phishing as the dominant social vector.

This case exposes three architectural assumptions that need revisiting:

1. CDR allow-lists need authentication monitoring. If a relay breaks SPF/DKIM/DMARC as an architectural side effect, the organization needs compensating controls. Allow-listing an IP that strips authentication creates a permanent bypass.
2. Multilingual detection is not optional. Organizations with Spanish-speaking clients and employees are targets for Spanish-language social engineering. Detection models that only parse English miss jurisdiction-specific fraud patterns entirely.
3. Clean attachments are not safe attachments. When the documents themselves are the fraud instrument, malware scanning is the wrong tool. Behavioral analysis that evaluates sender context, first-time sender signals, and financial request patterns catches what signature-based scanning cannot.

Across 1,921 organizations and 35,000+ security professionals, IRONSCALES processes an average of 67.5 threats per 100 mailboxes per month. Many of them look nothing like a phishing email in English.

See Your Risk: Calculate how many threats your SEG is missing