TL;DR A payment diversion attack targeting a financial institution's accounts payable team used a fabricated email thread with pre-approved invoicing language and a programmatically generated PDF containing direct wire instructions. The message transited a Votiro content disarm and reconstruction relay, which paradoxically broke SPF alignment and triggered a DMARC failure on a domain publishing p=reject. Despite the authentication anomaly, the email reached the recipient because Votiro is a trusted security vendor in the delivery path. The case highlights how legitimate security infrastructure can become an inadvertent evasion vector.
Severity: High Business-Email-Compromise Payment-Diversion Invoice-Fraud MITRE: T1566.001 MITRE: T1036.005 MITRE: T1204.002
A $48,500 invoice hit the accounts payable inbox of a mid-size financial institution on April 3, 2026. The sender claimed to be a legal advisor at Imperium Executive Legal LLC. The email included a fabricated approval thread, a programmatically generated PDF with wire instructions, and a W-9 for credibility. Standard payment diversion playbook.
What made this one different: the message transited a Votiro content disarm and reconstruction (CDR) relay before reaching the target. That relay, a legitimate email sanitization tool, broke SPF alignment and triggered a DMARC failure on a domain publishing p=reject. The attacker's message arrived through a security vendor's infrastructure, creating an authentication profile that was simultaneously suspicious and explainable.
A Fabricated Thread Built for AP Automation
The attack began not with the April 3 email, but with the conversation it pretended to continue. The message body contained a multi-turn thread dating back to March 26, complete with quoted replies and the conversational cadence of a real engagement.
The fabricated thread established three things. First, a senior executive had already approved the invoice ("Invoice is approved, payment will be released in accordance with the agreed terms"). Second, the legal engagement was already underway, with a document checklist and prior calls referenced. Third, the payment destination was explicitly stated: the AP inbox at the target organization.
This is textbook BEC construction. The attacker front-loaded social proof so the AP team would see pre-authorization and skip verification. The FBI IC3 2024 report attributed over $6.5 billion in losses to BEC and investment fraud, with payment diversion as the dominant sub-type.
The sender, robert.reese@stellarliterary[.]com, was a first-time contact. The domain was registered in 2020 via GoDaddy with SPF and DMARC configured (p=reject), but contained a misspelled DMARC report address (sterllarliterary) and no discoverable DKIM selectors, consistent with a compromised or minimally maintained domain.
The PDF That Passed Every Scan
Two attachments accompanied the email: invoice_62.pdf and a W-9 filing for the supposed legal entity.
The invoice PDF was generated by wkhtmltopdf 0.12.6 with a creation timestamp of April 3, 2026, 17:56 UTC. Same-day generation of a retainer invoice referencing a week-old engagement is a timing red flag. Legitimate retainers come from accounting platforms, not command-line HTML-to-PDF converters.
Inside the PDF: routing number 071025661, account number 4853367330, and SWIFT code HATRUS44XXX (BMO). The invoice listed Imperium Executive Legal LLC as the billing entity, but the contact email pointed to Tim@warnerinsure[.]com, an insurance agency. That entity mismatch is a hallmark of templated fraud where the attacker swaps banking details but forgets to sanitize all contact fields.
No embedded JavaScript, no AcroForm objects, no executable payloads. Every scanner returned a clean verdict. The threat was not in the file's code. It was in its content.
See Your Risk: Calculate how many threats your SEG is missing
When the Security Relay Becomes the Evasion Vector
The relay chain tells the real story:
- The message originated from the sender's Microsoft 365 tenant with SPF pass, DKIM pass, and DMARC pass (ARC i=1 recorded all three).
- It entered
votiro-relay1.prod.votiro[.]com at 44[.]206[.]213[.]130 (AWS EC2, Ashburn). Votiro performed CDR on the attachments and marked the message X-MTConnectorResult: Sanitized.
- Votiro forwarded the message from its own IP, not listed in
stellarliterary[.]com's SPF record (only _spf-usg2.ppe-hosted[.]com and secureserver[.]net are authorized).
Result: SPF softfail. DMARC fail with action=oreject. ARC chain validation cv=fail at i=3.
A DMARC p=reject failure should trigger message rejection. But organizations deploying CDR solutions typically allowlist the relay IP or trust the ARC chain. The attacker routed through a path that converted a hard authentication failure into an explainable anomaly.
The relay stripped potential malware from the PDFs (already clean) while breaking the authentication chain that might have flagged the message. The Verizon 2024 DBIR documented a 50% increase in social engineering attacks. This case maps to T1566.001 (Spearphishing Attachment) and T1036.005 (Masquerading: Match Legitimate Name).
Mixed-Signal Authentication Defeated the Automated Stack
The authentication fingerprint was uniquely difficult for automated systems:
| Check | Result | Explanation |
|---|
| SPF (original) | Pass | Sender's M365 tenant authorized |
| DKIM (original) | Pass | Recorded at ARC i=1 |
| DMARC (original) | Pass | Alignment confirmed at first hop |
| SPF (final) | Softfail | Votiro IP not in sender's SPF |
| DKIM (final) | None | Message not re-signed after relay |
| DMARC (final) | Fail (p=reject) | Alignment broken by relay |
| ARC | cv=fail at i=3 | Chain integrity lost |
| Composite Auth | None (reason 452) | Microsoft could not validate |
For a rule-based gateway, this profile is contradictory. The message originally authenticated, but the final hop broke everything. The SCL was set to -1, meaning it bypassed spam filtering entirely.
We flagged this incident through behavioral analysis: a first-time external sender targeting accounts payable directly, payment instructions exceeding $48,000, a fabricated approval thread, and entity mismatches in the attached invoice. Those signals do not require a working DKIM signature. They require understanding what the email is trying to accomplish. As CISA's phishing guidance emphasizes, verifying payment requests through independent channels remains the most effective BEC defense.
The Relay Chain and IOCs
| Type | Indicator | Context |
|---|
| Email | robert.reese@stellarliterary[.]com | Sender address (first-time, high-risk) |
| Domain | stellarliterary[.]com | Sender domain, GoDaddy, registered 2020-08-02 |
| Email | Tim@warnerinsure[.]com | Contact email in invoice PDF (entity mismatch) |
| Domain | warnerinsure[.]com | Invoice contact domain (insurance, not legal) |
| IP | 44[.]206[.]213[.]130 | Votiro relay IP (AWS EC2, Ashburn VA) |
| Hostname | votiro-relay1.prod.votiro[.]com | CDR sanitization relay |
| Attachment | invoice_62.pdf (MD5: 928a59703752db005060176d891e0518) | Programmatic PDF, wkhtmltopdf 0.12.6 |
| Attachment | w-9_Imperium executive legal LLC.pdf (MD5: f987ad6ec850f0065093ceee2456a5c2) | Supporting W-9 document |
| Banking | Routing 071025661, Account 4853367330, SWIFT HATRUS44XXX | Wire instructions in invoice |
| Invoice | INV-2026-88, $48,500.00 | Fraudulent invoice identifier |
What This Means for Your Mail Flow
If your organization uses a CDR or email sanitization relay, audit how those relays interact with your SPF and DMARC enforcement. Specifically:
- Do not treat CDR-sanitized messages as inherently safe. File sanitization removes embedded threats. It does not evaluate whether the invoice is real or the banking details are legitimate.
- Audit your ARC trust policy. Verify that a cv=fail at any hop triggers additional scrutiny rather than silent delivery.
- Flag first-time senders to financial functions. Any first-contact email to accounts payable containing payment instructions should trigger a hold for out-of-band verification, regardless of authentication status.
- Cross-reference entity names in attachments. When the billing entity, contact email domain, and banking institution are three different companies, the document is almost certainly fabricated.
- Treat fabricated threads as a BEC indicator. Quoted "approval" messages from executives that do not appear in your mail logs are evidence of social engineering, not authorization.
The Microsoft Digital Defense Report 2024 noted that BEC attacks increasingly exploit legitimate infrastructure to bypass authentication. The IBM Cost of a Data Breach Report 2024 found BEC breaches averaged $4.88 million per incident. The attacker did not need to defeat your security tools. They just needed to route through one.
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 30,000+ security professionals. Each post breaks down one attack — what it looked like, why it worked, and what you can do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
