The W-9 Request That Proved Itself: How a Click-Tracker PDF Targeted One Accounts-Payable Recipient

The accounts-payable contact at a metal fabrication company received an email that looked, on the surface, like every other vendor compliance chore: someone needed an updated W-9 and Certificate of Insurance before releasing payment. The sender was "Accounts payable Template Windows NT 5.0" at jonescheng@asters[.]hk. The subject read, "Outdated Vendor Documents, Please Provide Current W-9 and COI." The body was two lines: an attention line addressed to the recipient's name and company, then "Kind regards." No PO number. No account reference. No upload portal instructions. Just the attachment.

That sparseness was not an oversight. It was architecture.

Why the PDF Was the Entire Attack

The attached file, "Scheduling report 04Jun2026.pdf," weighed about 99 KB and scanned clean across static detection engines. No macros. No executable payload. No known-bad signatures. What it contained was text designed to mimic a Microsoft productivity suite notification:

"Team added you as an internal editor. Verify your email to securely make edits to this spreadsheet. You will need to access, file expire every 7 days. Please upload current W9 and COI to have your record updated accordingly pending all vendor payment release. Office Sheets. Office Workspace."

"Office Sheets" and "Office Workspace" do not exist as Microsoft products. The branding is close enough to trigger association with Microsoft 365 and OneDrive, but vague enough to survive brand-impersonation filters that check for exact trademark matches. The urgency mechanism is the expiration countdown ("file expire every 7 days") and the payment-release condition ("pending all vendor payment release"), which tells an accounts-payable recipient that failing to act will block a supplier from getting paid. That is a highly effective pretext for the specific role targeted.

The real payload was buried in the PDF's link: a URL on stats[.]sender[.]net, a legitimate email marketing click-tracking domain. The URL included the recipient's identifier in a fragment parameter, confirming that this PDF was not mass-distributed. It was built for one recipient. That individualization is the signature of a targeted campaign. The tracked URL resolved via Cloudflare with a valid TLS certificate, returning HTTP 200, fully capable of hosting a credential collection page.

This maps directly to MITRE ATT&CK T1566.001 (spearphishing via attachment), T1598 (phishing for information, specifically the W-9 and COI themselves as document-harvest targets), and T1656 (impersonation of a vendor accounts-payable function).

See Your Risk: Calculate how many threats your SEG is missing

How SPF Failure Became a Compauth Pass

The originating IP was 23[.]95[.]8[.]62, a CyberGateway/ColoCrossing address out of Buffalo, NY. That IP failed SPF against the asters[.]hk From domain. A straightforward SPF check should have ended the delivery attempt there.

Instead, the message was picked up and relayed through Microsoft outbound infrastructure (TYPPR03CU001.outbound.protection.outlook.com). At the second ARC evaluation hop, SPF was assessed against the Microsoft relay IP, which is a permitted sender for asters[.]hk's own Microsoft tenant routing. That evaluation passed. The final Authentication-Results header shows compauth=pass reason=109, a "best guess" pass code Microsoft assigns when DMARC is absent but ARC chain integrity holds.

The asters[.]hk From domain publishes DMARC p=reject. That policy should have enforced rejection on the first SPF failure. The compauth=pass reason=109 override effectively nullified the DMARC reject policy through ARC relay trust. This is a documented gap in how Microsoft's compauth scoring interacts with ARC when a message transits Microsoft infrastructure: the relay's own authentication standing can substitute for the sending domain's policy outcome.

This is not an exotic zero-day in Microsoft Exchange. It is a relay-trust mechanic that attackers with access to any Microsoft-routing-adjacent infrastructure can exploit repeatedly. The Verizon 2026 Data Breach Investigations Report finds that 39% of breached credentials appear somewhere across the attack kill chain. W-9 harvesting is direct credential and tax-identity acquisition, not a stepping stone.

The Targeting Signal That Scanners Cannot See

The individualized click-tracker is the detail that separates this from spray phishing. Bulk credential-harvest campaigns reuse the same landing URL across thousands of targets because individual tracking adds operational overhead. Embedding a unique recipient identifier in a PDF link requires generating a distinct document per target. That is reconnaissance-backed targeting, consistent with vendor email compromise playbooks where attackers research AP department contacts before launching.

The FBI IC3's 2024 Internet Crime Report puts BEC losses at over $2.7 billion for the year. Vendor-document fraud occupies a specific niche in that category: it harvests credentials and compliance documents simultaneously, giving the attacker both account access and enough legitimate-looking paperwork to impersonate the vendor in downstream payment fraud. The IBM Cost of a Data Breach 2024 puts the average breach cost at $4.88 million, with phishing and stolen credentials among the top initial access vectors contributing to that figure.

For manufacturing companies, AP departments are natural targets. They manage high-volume vendor relationships and expect document requests as a routine part of onboarding and compliance cycles. An "update your W-9 or your payment is held" pretext fits that operational reality precisely. The IRONSCALES manufacturing security data shows this sector consistently ranks among the most heavily targeted for vendor-document pretexts.

What Defenders Need to Catch This

Static PDF scanning will not flag a file whose only content is text and a link to a legitimate marketing tracker domain. The detection surface here is behavioral:

A first-time sender (confirmed by the incident data: zero prior correspondence between this address and the recipient organization) sending a high-priority email with a PDF attachment but no PO, account number, or relationship context is anomalous regardless of what the PDF contains. The combination of first-time sender status, high-priority flags, and an attachment addressed specifically to the recipient's role should elevate scrutiny independently of attachment scan verdicts.

IRONSCALES Adaptive AI flagged this message for community-based reputation signals and sender behavioral inconsistencies. Themis, the agentic AI virtual SOC analyst, identified credential-theft patterns and VIP recipient flags. The individual click-tracker URL, embedded inside the PDF rather than in the email body, would be invisible to link-scanning that operates only on message body URLs. Detection required analyzing OCR-extracted PDF text and correlating the embedded domain against tracker-platform reputation.

The IRONSCALES BEC protection capability addresses this class of attack specifically: impersonation of vendor roles combined with document-request pretexts that bypass attachment and body URL scanning. The Microsoft Digital Defense Report 2024 confirms that phishing remains the dominant initial access vector, with social-engineering content quality continuing to improve. A two-line email body with a personalized attachment is not unsophisticated. It is deliberately minimal to reduce the signal available to content classifiers.

Defanged IOC Table

The clean PDF, the legitimate tracker domain, and the vendor-onboarding pretext each individually score low risk. Together, with a first-time sender and zero relationship context, they describe a targeted credential-harvest operation. That combination is the signal.