TL;DR An email demanding payment on a past-due balance of over $230,000 passed every authentication check including SPF, DKIM, DMARC, and ARC. The attached XLSX file triggered an X-Amp-Result of UNSCANNABLE and an X-Amp-Original-Verdict of FILE UNKNOWN from Cisco AMP, meaning the attachment was never fully analyzed. Multiple mailboxes were quarantined. The incident was later changed to clean, but the UNSCANNABLE flag documented that the attachment never received a complete scan verdict from the AMP layer.
Severity: Medium Invoice Fraud Attachment Evasion Bec MITRE: {'id': 'T1566.001', 'name': 'Phishing: Spearphishing Attachment'} MITRE: {'id': 'T1027', 'name': 'Obfuscated Files or Information'} MITRE: {'id': 'T1656', 'name': 'Impersonation'}
The email landed in multiple inboxes at once. Subject: "Past Due Invoices." The body stated plainly that a balance of $230,489.70 was overdue and requested an update or payment. It carried the name and contact information of an accounts receivable representative. The signature block was formatted like any business email. An external-email caution banner was prepended.
Every authentication header passed. The message was not coming from an attacker's throwaway domain. It was coming from a real company's email infrastructure.
The problem was the attachment.
Full Authentication, Real Sending Infrastructure
The sending address, ar@amequipment[.]com, belongs to an industrial equipment supplier with an active web presence and documented business operations. SPF passed. DKIM passed. DMARC passed. ARC passed. The sending relay was Microsoft's outbound protection layer (40[.]93[.]198[.]83), which then transitioned to a downstream email security appliance at esa.lci1.iphmx[.]com (216[.]71[.]148[.]40), consistent with a customer using a third-party email security service.
This is authentication exactly as designed. The sending domain is properly configured. The email was authorized to send from that infrastructure. Nothing in the authentication result tells the recipient whether this particular invoice demand is legitimate, whether the dollar amount is accurate, or whether paying it would route funds to the right place.
The links in the body pointed to amequipment[.]com, magneto-movement[.]com, dumorecorp[.]com, grovediecasting[.]com, and a LinkedIn page. These are all companies with documented web presences. A HubSpot newsletter signup form was embedded in the footer. Every URL scanned clean at delivery time.
The Attachment Was the Problem Nobody Could Confirm
The email carried an attachment named "Customer Ledger Entries (26).xlsx," a file of 8,457 bytes. That specific naming pattern, "Customer Ledger Entries" with a parenthetical number, is consistent with bulk-generated or templated financial documents.
Cisco AMP, the file-scanning layer, returned two header values that document the problem:
`` X-Amp-Result: UNSCANNABLE X-Amp-Original-Verdict: FILE UNKNOWN ``
UNSCANNABLE means the engine could not complete its analysis. FILE UNKNOWN means no verdict was rendered. The AMP layer was not able to confirm the file was clean, and it was not able to confirm it was malicious. It processed the file and stopped short of a determination.
Phishing attachments crafted to evade sandbox analysis often target this gap. An XLSX file can be constructed to trigger specific parsing paths that cause scanners to time out, fail to detonate, or return inconclusive results. Common techniques include intentionally malformed structure that passes the application's renderer but breaks the scanner's parser, deeply nested embedded objects, or Excel-specific features with unusual encoding.
The incident was later reviewed and the verdict was changed to clean. That closure reflects a human or policy decision made after the UNSCANNABLE result, not a subsequent successful scan that confirmed the file contained no malicious content.
Multiple Mailboxes, Quarantine, Mitigation
The email hit multiple mailboxes, all of which were quarantined and mitigated. The external-email caution banner indicates the receiving organization had some protective policy in place. The SCL or quarantine policy caught it at the infrastructure level even though every authentication check passed.
The combination of full authentication pass and UNSCANNABLE attachment represents a specific class of detection gap. Gateways that rely heavily on scan verdicts to make quarantine decisions face a choice when the scanner cannot return a verdict: allow or block. An UNSCANNABLE result that defaults to allow bypasses the inspection layer entirely.
Business Email Compromise via invoice fraud does not require attacker-owned sending infrastructure. Sending from a real vendor's email account, real-company domain, and properly authenticated mail server produces exactly this scenario: authentication passes, links scan clean, and the only non-clean signal is an attachment the scanner cannot inspect.
The behavioral signals available at delivery included: a high-dollar payment demand to multiple simultaneous mailboxes, a first-contact invoicing email with an amount-due framing, and an attachment with an UNSCANNABLE result from the file-scanning layer. Taken together, those signals warranted quarantine regardless of the authentication outcome.
Themis, the IRONSCALES Adaptive AI engine, surfaced the UNSCANNABLE attachment combined with the financial urgency pattern and multi-mailbox targeting as a compound behavioral signal. The quarantine that followed protected recipients while the attachment remained unverified.
See Your Risk: Calculate how many threats your SEG is missing
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sending Address | ar@amequipment[.]com | Accounts receivable address, industrial equipment supplier |
| Sending Relay | 40[.]93[.]198[.]83 | Microsoft outbound protection |
| Downstream Relay | 216[.]71[.]148[.]40 | esa.lci1.iphmx[.]com, third-party email security appliance |
| Attachment | Customer Ledger Entries (26).xlsx | 8,457 bytes; AMP verdict: UNSCANNABLE / FILE UNKNOWN |
| Body Links | amequipment[.]com, magneto-movement[.]com, dumorecorp[.]com, grovediecasting[.]com | All scanned clean at delivery; real business domains |
| X-Amp-Result | UNSCANNABLE | Cisco AMP could not complete file analysis |
| X-Amp-Original-Verdict | FILE UNKNOWN | No malicious/clean verdict rendered |
MITRE ATT&CK Mapping
| Technique | ID | Relevance |
|---|
| Phishing: Spearphishing Attachment | T1566.001 | XLSX attachment as primary payload carrier |
| Obfuscated Files or Information | T1027 | File structure crafted to prevent scanner analysis |
| Impersonation | T1656 | Email impersonates legitimate vendor payment demand |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
