TL;DR A phishing message posing as a voicemail notification arrived from a legitimate nonprofit domain that passed SPF, DKIM, and DMARC. Six of its seven links pointed to the real organization's website and were clean. The seventh, labeled Mailbox, downloaded a Windows executable from a 26-day-old privacy-protected domain flagged malicious by public sandboxing. Because the sender was authentically the nonprofit, not a spoof, reputation and authentication checks passed the message. Behavioral analysis, not sender trust, caught it. Treat trusted-sender email as a delivery channel for malware, not a safe list.
Severity: High Malware Delivery Phishing Account Compromise MITRE: T1566.002 MITRE: T1204.002

The subject line said "Voicemail Message." The body was two polite sentences: a brief voicemail had been prepared for review, and it could be accessed through a link labeled Mailbox. Underneath sat a full corporate signature. A name, a job title, a mobile number, a street address, and a link to the sender organization's real website.

Every visible detail was consistent with a legitimate nonprofit. The sending domain passed SPF, DKIM, and DMARC. The signature pointed to a real community-services organization. Six of the seven links in the message resolved to that organization's own website and social pages, and all six came back clean.

The only thing wrong was where the Mailbox link went. Straight to a Windows executable named hmlineea.exe, hosted on a domain that was 26 days old.

Real Authentication, Not a Spoof

This is the detail that matters, so it is worth being precise. The message was not spoofed. It was not sent from a lookalike domain. It arrived over the nonprofit's actual mail infrastructure, routed through the organization's commercial gateway and Microsoft 365, and it passed all three authentication protocols cleanly.

SPF (Sender Policy Framework) confirms the sending IP is authorized for the domain. DKIM (DomainKeys Identified Mail) confirms the message was cryptographically signed by that domain. DMARC (Domain-based Message Authentication, Reporting, and Conformance, now specified in RFC 9989) ties the two together and told receivers to quarantine anything that failed. Nothing failed. The domain published a p=quarantine policy and the message satisfied it.

Authentication proves who sent a message. It says nothing about intent. When a real mailbox is compromised or an authorized account is misused, everything it sends inherits the domain's authentication and its reputation. That is what happened here. The nonprofit was not the attacker. It was another victim, its trusted identity borrowed to carry a payload the recipient organization had every reason to open.

Six Clean Links and One That Wasn't

Attackers do not usually mix legitimate links with malicious ones by accident. The ratio is the tell. When six of seven links point to a real, verifiable organization, a scanner that samples links or weights domain reputation sees an overwhelmingly clean message. The one hostile link rides along.

That seventh link, labeled Mailbox, resolved to hxxps://db2000[.]net/v25/hmlineea.exe. There was no audio file, no web player, no notification page. It was a direct download of a Windows PE executable. Legitimate voicemail systems do not deliver messages as .exe files, and the gap between the stated purpose and the actual artifact is the entire attack in one line.

The payload host held up under scrutiny in every way you would expect of disposable attacker infrastructure. WHOIS put the registration at just 26 days before delivery, through NameSilo, behind PrivacyGuardian registrant masking, with Cloudflare name servers. Public sandbox analysis of hmlineea.exe returned malicious behavior, and automated link analysis scored the URL at 0.95 on a 0-to-1 risk scale and identified it as serving a Windows executable.

See Your Risk: Calculate how many threats your SEG is missing

Mapping the Chain

Stripped of the trust dressing, the technique is straightforward and maps cleanly to two MITRE ATT&CK behaviors.

TypeIndicatorContext
URLhxxps://db2000[.]net/v25/hmlineea.exeMalicious payload link, labeled "Mailbox"
Domaindb2000[.]netPayload host, registered 26 days before attack, privacy-protected
Filehmlineea.exeWindows PE executable, sandbox-confirmed malicious

What Actually Caught It

Reputation gave this message a pass. So did authentication. The signal that flagged it came from behavior, not identity.

Themis, the IRONSCALES agentic AI analyst, treated the authenticated sender as a starting question rather than a verdict. The sender was external and writing to these recipients for the first time, the Mailbox link resolved to a malicious payload host, and the language and structure matched patterns seen in prior phishing. Layered with community reputation data drawn from a global network of security professionals, the Adaptive AI engine scored the message a high-confidence phishing attempt at 87 percent and quarantined it across every affected mailbox, despite the clean authentication result.

That is the difference between a static allow list and a system that keeps asking whether behavior fits the sender. A trusted domain is an input to the decision, not the decision itself. The same community intelligence that surfaced this pattern flags it faster the next time it appears from a different compromised sender.

The Takeaway for Trusted Senders

The 2026 Verizon Data Breach Investigations Report found that roughly 10 percent of the attacks reaching email gateways carry malware, and that phishing remains an initial access vector in 16 percent of breaches. The Microsoft Digital Defense Report 2024 documents the same shift toward abusing legitimate services and identities to slip past reputation controls. Attackers know that a message from a known, authenticated domain gets the benefit of the doubt.

Three practical moves follow from this case. First, stop treating authentication as a trust signal. SPF, DKIM, and DMARC prove origin, not safety, and a compromised sender passes all three. Second, inspect the payload and the sender relationship independently of the domain, especially for first-time senders bearing links to freshly registered hosts. Advanced malware and URL protection that detonates and analyzes the destination catches what reputation misses. Third, follow the network-defender guidance in the CISA phishing advisory and remove executable delivery paths so that a voicemail link can never become a running process.

A voicemail should never be a .exe. When the sender is trusted and the file is not, trust the file analysis.

Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.

Related attacks

Attack What happened
When the Safety Wrapper Becomes the Disguise: Brazilian NF-e Phishing via Safe Links RewriteA Portuguese-language invoice lure authenticated through a compromised Brazilian domain used is.gd to hide its payload.
The PDF Passed Every Scanner. Then It Opened a Browser Tab.A 46KB PDF arrived clean on every attachment scanner.
The Password Expiry Email That Hid Its Destination in a Base64 FragmentA password-expiry lure used a Base64-encoded URL fragment to hide its Shopify-hosted credential harvesting page from link scanners.
The Shipping Notice That Hid a Windows Executable Inside a PNGA routine freight arrival notice from a legitimate logistics domain passed SPF, DKIM, and DMARC.
Sign Here, Get Phished: Inside an Adobe Sign Lure With a Multi-Hop Redirect to Credential TheftAn Adobe Sign e-signature lure routed recipients through a multi-hop redirect chain ending at fameklinik[.]com.

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.