A Spanish-language email arrived at a U.S. financial institution claiming to carry a judicial power of attorney. The subject line referenced a Mexican court proceeding. The body named a bank account number. Three PDF attachments contained what appeared to be identity documents and a legal filing. Every attachment scanned clean. Every authentication check failed. The message landed in the inbox anyway.
This is what advance-fee fraud looks like when it skips the Nigerian prince template and speaks the language of the target.
The email originated from a free Hotmail account (sgcmy@hotmail[.]com) and targeted two employees at the victim financial institution. The sender, using a Hispanic name, wrote in fluent Mexican Spanish and referenced a specific legal mechanism: a poder judicial (judicial power of attorney) allegedly granting one individual authority over a relative's financial interests.
The body was four lines:
Three PDF attachments accompanied the message: a copy of the purported judicial power of attorney (2.4 MB) and two copies of a Mexican national identity card (INE) for the individuals referenced in the body.
No links. No credential harvesting forms. No malware. The entire payload was social engineering, and the documents themselves were the weapon.
The original message left Hotmail's infrastructure with full authentication intact. At the second relay hop, Microsoft's own ARC records confirm SPF pass, DKIM pass, and DMARC pass (compauth=100). The message was legitimate Hotmail traffic at that point.
Then it hit the organization's content disarm and reconstruction (CDR) relay. The CDR service, running on AWS EC2 infrastructure (44[.]206[.]222[.]91, PTR: ec2-44-206-222-91[.]compute-1[.]amazonaws[.]com), sanitized the attachments and re-submitted the message to the recipient's Exchange Online tenant.
That re-submission broke everything:
| Authentication Check | Before CDR Relay | After CDR Relay |
|---|---|---|
| SPF | Pass | Fail (44[.]206[.]222[.]91 not in hotmail[.]com SPF record) |
| DKIM | Pass (signature verified) | Fail (body hash mismatch after sanitization) |
| DMARC | Pass (p=none) | Fail |
| compauth | 100 | none (reason=405) |
Under normal circumstances, a message with triple authentication failure would face scrutiny. But the CDR relay's IP was on the organization's allow list. The Spam Confidence Level (SCL) was set to -1, which in Exchange Online means "skip spam filtering entirely." The message bypassed every reputation and authentication gate and landed directly in the inbox.
Language as an evasion layer. Most phishing detection models are trained predominantly on English-language corpora. Spanish-language social engineering, particularly using jurisdiction-specific legal terminology like poder judicial and referencing Mexican identity documents (INE), falls outside the pattern libraries that flag English BEC and advance-fee templates. The Microsoft Digital Defense Report 2024 notes the increasing use of non-English lures to evade NLP-based detection.
Documents as payload. The three PDFs contained no malicious code, no embedded links, no JavaScript, no AcroForm exploits. They scanned clean because they were clean files. The fraud is in what they represent: forged or stolen identity documents designed to convince a bank employee to grant account access to an unauthorized party. Traditional attachment scanning looks for technical threats. It has no model for document authenticity.
CDR trust exploitation. The CDR relay did exactly what it was designed to do: sanitize attachments and forward them. But the architectural side effect of breaking authentication, combined with allow-list trust, created a blind spot where authenticated and unauthenticated mail became indistinguishable. The CDR relay effectively laundered the message's reputation.
First-time sender targeting. The attacker sent to two specific employees by name at the financial institution, both with Hispanic surnames, using a culturally appropriate greeting and closing. This level of targeting suggests reconnaissance: the attacker knew who handled account management for Spanish-speaking clients.
| Technique | ID | Usage |
|---|---|---|
| Phishing: Spearphishing Attachment | T1566.001 | Identity documents and legal filings as PDF attachments |
| Phishing for Information | T1598 | Bank account number disclosure to establish trust for follow-up fraud |
| Establish Accounts: Email Accounts | T1585.002 | Free Hotmail account with Hispanic display name |
| Trusted Relationship | T1199 | CDR relay allow-list exploited for delivery |
| Indicator | Type | Context |
|---|---|---|
| sgcmy@hotmail[.]com | Sender address | Free webmail, first-time sender |
| 44[.]206[.]222[.]91 | Relay IP | CDR sanitization relay on AWS EC2 |
| ec2-44-206-222-91[.]compute-1[.]amazonaws[.]com | PTR record | CDR relay infrastructure |
| 9417131ca14a180613348db6a284eb4d | MD5 hash | PDF attachment (power of attorney, 2.4 MB) |
| 8bc05cc98dc20f289883d305450a73c9 | MD5 hash | PDF attachment (identity document, 97 KB) |
| bfda6fa943518142de0b55c76d390b59 | MD5 hash | PDF attachment (identity document, 108 KB) |
| compauth=none reason=405 | Auth result | Authentication voided by relay re-submission |
| SCL=-1 | Spam score | Allow-list override, spam filtering skipped |
| es-MX | Content language | Mexican Spanish, targeting bilingual staff |
The FBI IC3 2024 report documents $2.77 billion in BEC losses, but the category understates the risk by focusing on English-language patterns. The IBM Cost of a Data Breach Report pegs the average social engineering breach at $4.77 million. According to the Verizon DBIR, social engineering remains the top action variety in breaches, and pretexting (which this attack exemplifies) has overtaken phishing as the dominant social vector.
This case exposes three architectural assumptions that need revisiting:
Across 1,921 organizations and 35,000+ security professionals, IRONSCALES processes an average of 67.5 threats per 100 mailboxes per month. Many of them look nothing like a phishing email in English.
See Your Risk: Calculate how many threats your SEG is missing