Three Attack Vectors, One Email: The Salary Review That Brought a Spreadsheet, a SmartLink, and a Calendar Invite

Most phishing emails pick a lane. One malicious attachment. One credential-harvesting link. Maybe a QR code if the attacker is feeling creative.

This one picked all three.

A single email targeting an employee at a community bank carried a malicious XLSX spreadsheet with QR code instructions, a Microsoft Safe Links-wrapped redirect pointing to an unrelated SmartLink domain, and a .ics calendar invite with a typosquatted organizer address. Three independent vectors, each designed to funnel the recipient toward the same credential-harvesting destination. If one path failed, two more waited.

IRONSCALES flagged this attack within minutes. Here is how each vector worked, and why the combination matters more than the sum of its parts.

The Setup: A Salary Review Nobody Requested

The email arrived with the subject line "[IMPORTANT] Update Required: Q4 Salary Review" and high-priority flags set across every available header (X-Priority: 1, Importance: High, Priority: urgent). The body impersonated "OfficeTools Document Services," referencing a document titled "Vantage_07918 - Disbursement Approval" and inviting the recipient to click a "View Document" button.

The From address was emailxoj@netvigator[.]com. The Reply-To was noreply@vantage[.]bank. The reported sender in the envelope was calnder@vantage[.]bank, with a conspicuous typo ("calnder" instead of "calendar"). Three different identities in one message, none of them consistent, all of them designed to suggest the email originated from inside the recipient's own financial institution.

According to the Verizon 2024 Data Breach Investigations Report, pretexting attacks (social engineering with fabricated scenarios) now account for over 40% of social engineering incidents. This salary review lure fits the pattern exactly.

Vector 1: The Malicious XLSX With QR Code Instructions

The attached file, Vantage_Document_eric.thompson.xlsx, was flagged malicious immediately (SHA256: 87b73d04ae08633fa1846bad74ea0a84c87b6bf837dcc1707cea98c39bde9b47). The spreadsheet contained no macros and no embedded URLs. Instead, it displayed text instructing the recipient to "Scan QR Code" or "visit the link provided in your email" to access the full document.

This is the off-document payload pattern. The XLSX itself is clean enough to pass basic sandbox analysis because the malicious content lives elsewhere. The file's only job is to redirect human behavior. It was generated by openpyxl on March 23, 2026, a signature consistent with automated campaign tooling. The Microsoft Digital Defense Report 2024 documented a 146% increase in adversary-in-the-middle attacks using this kind of off-document redirection.

QR code phishing attacks have surged because they shift the attack surface from the desktop (where email security tools operate) to the mobile device (where they do not). The FBI IC3 2024 Annual Report documented a sharp increase in QR-facilitated credential theft, particularly targeting financial services employees.

Vector 2: The Safe Links-Wrapped SmartLink Redirect

The "View Document" button in the email body linked to a Microsoft Safe Links-wrapped URL. After unwrapping, the destination resolved to t-sml[.]mtrbio[.]com/public/smartlink/onedrive-msexchange-workers-dev-email-160.

That domain, mtrbio[.]com, has no affiliation with OfficeTools, the impersonated bank, or any document management service. WHOIS records show it was registered through Webempresa Europa on September 5, 2024, with privacy protection enabled and AWS Route 53 name servers. The subdomain (t-sml) and URL path (/public/smartlink/) mimic the structure of legitimate SmartLink document-sharing services, but the hosting infrastructure tells a different story.

The URL path included "onedrive-msexchange-workers-dev," a string designed to look like an internal Microsoft development endpoint. It is not. This kind of path construction exploits the trust that security analysts place in recognizable brand strings within URLs.

See Your Risk: Calculate how many threats your SEG is missing

Vector 3: The Calendar Invite With a Typosquatted Organizer

The third attachment was a .ics calendar file. When opened, it would auto-populate the recipient's calendar with a meeting invitation. The organizer address was set to calnder@vantage[.]bank. That is not a real address at the bank. It is a typosquatted variation ("calnder" instead of "calendar") designed to pass a quick visual scan.

Calendar invites are effective spear phishing tools because they bypass the inbox entirely once accepted. The meeting sits in the recipient's calendar, appearing legitimate, with embedded links or instructions that persist long after the original email might be deleted or quarantined. According to CISA's phishing guidance, calendar-based delivery is increasingly used to establish persistence after initial delivery.

The .ics filename itself was telling: Review Required - 657269632e74686f6d70736f6e4076616e746167652e62616e6b.ics. That hex string decodes to the recipient's full email address. The attacker embedded targeting data directly in the filename, likely for campaign tracking across a batch operation.

The Authentication Shell Game

The email's authentication results tell two stories. At the first hop (wbironout4b[.]netvigator[.]com, IP 210[.]87[.]247[.]43), SPF passed, DKIM passed, and DMARC passed. The message looked legitimate.

Then it transited through a Votiro CDR (Content Disarm and Reconstruction) gateway hosted on AWS (44[.]206[.]222[.]91). CDR gateways are legitimate security tools. They strip and reconstruct potentially dangerous content from attachments. But the reconstruction process altered the message body, which broke the DKIM body hash. Post-gateway results: SPF softfail, DKIM fail, DMARC fail.

This is where most email authentication frameworks hit their limit. The original authentication passed. The failures downstream look like gateway artifacts, not attack indicators. A security team reviewing the headers could reasonably dismiss the failures as expected CDR behavior. The attacker benefits from this ambiguity.

IRONSCALES identified the attack through behavioral signals that authentication headers cannot capture: first-time sender status, envelope inconsistencies across From/Reply-To/Sender fields, the malicious attachment verdict, and the mismatch between the impersonated brand (OfficeTools) and the actual link destination. These are the signals that matter when authentication alone is not enough.

Indicators of Compromise

What This Attack Teaches About Layered Delivery

The IBM Cost of a Data Breach Report 2024 found that phishing-initiated breaches cost organizations an average of $4.88 million. Multi-vector delivery compounds that risk. Single-vector phishing gives defenders one thing to catch. This attack gave the recipient three independent paths to compromise, and it needed only one to succeed. The XLSX targets users who prefer attachments. The SmartLink targets users who click buttons. The calendar invite targets users who manage their schedule reflexively.

Traditional SEG-based defenses evaluate each element in isolation. The link scanned clean through Safe Links. The .ics file scanned clean. Only the XLSX triggered a malicious verdict, and its payload lived outside the file itself. An integrated platform that correlates sender behavior, envelope inconsistencies, attachment verdicts, and link destinations simultaneously is what closes the gap between "partially detected" and "fully stopped."

IRONSCALES quarantined this email within five minutes of delivery. All three vectors, neutralized in a single action.