A $48,500 invoice hit the accounts payable inbox of a mid-size financial institution on April 3, 2026. The sender claimed to be a legal advisor at Imperium Executive Legal LLC. The email included a fabricated approval thread, a programmatically generated PDF with wire instructions, and a W-9 for credibility. Standard payment diversion playbook.
What made this one different: the message transited a Votiro content disarm and reconstruction (CDR) relay before reaching the target. That relay, a legitimate email sanitization tool, broke SPF alignment and triggered a DMARC failure on a domain publishing p=reject. The attacker's message arrived through a security vendor's infrastructure, creating an authentication profile that was simultaneously suspicious and explainable.
The attack began not with the April 3 email, but with the conversation it pretended to continue. The message body contained a multi-turn thread dating back to March 26, complete with quoted replies and the conversational cadence of a real engagement.
The fabricated thread established three things. First, a senior executive had already approved the invoice ("Invoice is approved, payment will be released in accordance with the agreed terms"). Second, the legal engagement was already underway, with a document checklist and prior calls referenced. Third, the payment destination was explicitly stated: the AP inbox at the target organization.
This is textbook BEC construction. The attacker front-loaded social proof so the AP team would see pre-authorization and skip verification. The FBI IC3 2024 report attributed over $6.5 billion in losses to BEC and investment fraud, with payment diversion as the dominant sub-type.
The sender, robert.reese@stellarliterary[.]com, was a first-time contact. The domain was registered in 2020 via GoDaddy with SPF and DMARC configured (p=reject), but contained a misspelled DMARC report address (sterllarliterary) and no discoverable DKIM selectors, consistent with a compromised or minimally maintained domain.
Two attachments accompanied the email: invoice_62.pdf and a W-9 filing for the supposed legal entity.
The invoice PDF was generated by wkhtmltopdf 0.12.6 with a creation timestamp of April 3, 2026, 17:56 UTC. Same-day generation of a retainer invoice referencing a week-old engagement is a timing red flag. Legitimate retainers come from accounting platforms, not command-line HTML-to-PDF converters.
Inside the PDF: routing number 071025661, account number 4853367330, and SWIFT code HATRUS44XXX (BMO). The invoice listed Imperium Executive Legal LLC as the billing entity, but the contact email pointed to Tim@warnerinsure[.]com, an insurance agency. That entity mismatch is a hallmark of templated fraud where the attacker swaps banking details but forgets to sanitize all contact fields.
No embedded JavaScript, no AcroForm objects, no executable payloads. Every scanner returned a clean verdict. The threat was not in the file's code. It was in its content.
See Your Risk: Calculate how many threats your SEG is missing
The relay chain tells the real story:
votiro-relay1.prod.votiro[.]com at 44[.]206[.]213[.]130 (AWS EC2, Ashburn). Votiro performed CDR on the attachments and marked the message X-MTConnectorResult: Sanitized.stellarliterary[.]com's SPF record (only _spf-usg2.ppe-hosted[.]com and secureserver[.]net are authorized).Result: SPF softfail. DMARC fail with action=oreject. ARC chain validation cv=fail at i=3.
A DMARC p=reject failure should trigger message rejection. But organizations deploying CDR solutions typically allowlist the relay IP or trust the ARC chain. The attacker routed through a path that converted a hard authentication failure into an explainable anomaly.
The relay stripped potential malware from the PDFs (already clean) while breaking the authentication chain that might have flagged the message. The Verizon 2024 DBIR documented a 50% increase in social engineering attacks. This case maps to T1566.001 (Spearphishing Attachment) and T1036.005 (Masquerading: Match Legitimate Name).
The authentication fingerprint was uniquely difficult for automated systems:
| Check | Result | Explanation |
|---|---|---|
| SPF (original) | Pass | Sender's M365 tenant authorized |
| DKIM (original) | Pass | Recorded at ARC i=1 |
| DMARC (original) | Pass | Alignment confirmed at first hop |
| SPF (final) | Softfail | Votiro IP not in sender's SPF |
| DKIM (final) | None | Message not re-signed after relay |
| DMARC (final) | Fail (p=reject) | Alignment broken by relay |
| ARC | cv=fail at i=3 | Chain integrity lost |
| Composite Auth | None (reason 452) | Microsoft could not validate |
For a rule-based gateway, this profile is contradictory. The message originally authenticated, but the final hop broke everything. The SCL was set to -1, meaning it bypassed spam filtering entirely.
We flagged this incident through behavioral analysis: a first-time external sender targeting accounts payable directly, payment instructions exceeding $48,000, a fabricated approval thread, and entity mismatches in the attached invoice. Those signals do not require a working DKIM signature. They require understanding what the email is trying to accomplish. As CISA's phishing guidance emphasizes, verifying payment requests through independent channels remains the most effective BEC defense.
| Type | Indicator | Context |
|---|---|---|
robert.reese@stellarliterary[.]com | Sender address (first-time, high-risk) | |
| Domain | stellarliterary[.]com | Sender domain, GoDaddy, registered 2020-08-02 |
Tim@warnerinsure[.]com | Contact email in invoice PDF (entity mismatch) | |
| Domain | warnerinsure[.]com | Invoice contact domain (insurance, not legal) |
| IP | 44[.]206[.]213[.]130 | Votiro relay IP (AWS EC2, Ashburn VA) |
| Hostname | votiro-relay1.prod.votiro[.]com | CDR sanitization relay |
| Attachment | invoice_62.pdf (MD5: 928a59703752db005060176d891e0518) | Programmatic PDF, wkhtmltopdf 0.12.6 |
| Attachment | w-9_Imperium executive legal LLC.pdf (MD5: f987ad6ec850f0065093ceee2456a5c2) | Supporting W-9 document |
| Banking | Routing 071025661, Account 4853367330, SWIFT HATRUS44XXX | Wire instructions in invoice |
| Invoice | INV-2026-88, $48,500.00 | Fraudulent invoice identifier |
If your organization uses a CDR or email sanitization relay, audit how those relays interact with your SPF and DMARC enforcement. Specifically:
The Microsoft Digital Defense Report 2024 noted that BEC attacks increasingly exploit legitimate infrastructure to bypass authentication. The IBM Cost of a Data Breach Report 2024 found BEC breaches averaged $4.88 million per incident. The attacker did not need to defeat your security tools. They just needed to route through one.