An email arrived from wbg-pooling[.]eu, a domain belonging to a legitimate German logistics company that provides pooling and container management services. SPF passed. DKIM passed. The sending infrastructure was consistent with the domain registration and the company business profile.
The email included a JPEG signature image that contained an embedded barcode. When the barcode was analyzed with standard decoding tools, it could not be read. The barcode format did not match common symbologies (Code 128, QR, EAN, Data Matrix), and no data payload could be extracted from the image.
The signature listed the contact name "Marie-Chantal Hackstedt." A search through public business registries, LinkedIn, and company directories returned no verifiable match for this individual at WBG Pooling or related entities. The name could not be confirmed as a real employee.
This was a first-time sender. The domain wbg-pooling[.]eu had never previously communicated with the target organization through any channel tracked by the email security platform.
The combination of a legitimate domain, passing authentication, and professional formatting creates an email that clears every automated checkpoint. The barcode in the signature image adds a layer of concern that traditional email gateway security cannot evaluate. Text-based content analysis reads the email body and headers, but the barcode exists purely as image data. Without optical recognition and barcode-specific decoding, the content of the barcode is invisible to the scanning pipeline.
An undecodable barcode has multiple possible explanations. It could be a proprietary internal tracking code used by the company. It could be a decorative element scraped from a real signature and re-embedded in a spoofed template. Or it could be deliberately encoded with a non-standard symbology to carry data that only specific reader applications can interpret.
The unverifiable contact name adds a second behavioral anomaly. Legitimate business communications from established companies typically come from employees who have some discoverable public presence. When the sender name cannot be confirmed through any public directory, the email loses the implicit trust that a known-sender relationship provides.
Adaptive AI email security flagged this message through first-time sender detection. Despite the passing authentication and legitimate domain, the absence of any prior communication between wbg-pooling[.]eu and the target organization elevated the risk score. The unverifiable contact name and the presence of an image-embedded barcode that could not be decoded provided additional behavioral signals that reinforced the HIGH risk classification.
The community intelligence network was consulted but had not yet seen this specific sender pattern across other tenants. The risk assessment was driven entirely by behavioral analysis at the individual organization level.
See Your Risk. Run a free phishing simulation to test whether first-time sender emails from legitimate domains would reach your users unscrutinized.
| Indicator | Type | Value |
|---|---|---|
| Case ID | Internal | a7fe490d0bba6b688e7c32a75811109d |
| Sender Domain | Domain | wbg-pooling[.]eu |
| Domain Origin | WHOIS | Germany |
| Contact Name | Identity | Marie-Chantal Hackstedt (unverifiable) |
| Signature Image | Attachment | JPEG with embedded barcode |
| Barcode Status | Analysis | Undecodable |
| First-Time Sender | Behavioral | Yes |
| SPF | Authentication | pass |
| DKIM | Authentication | pass |
| Tactic | Technique | ID | Notes |
|---|---|---|---|
| Reconnaissance | Gather Victim Identity Information | T1589 | First-time sender probing organizational responsiveness |
| Defense Evasion | Obfuscated Files or Information | T1027 | Undecodable barcode embedded in signature image |
| Initial Access | Phishing | T1566 | Authenticated email from legitimate domain |
| Resource Development | Establish Accounts | T1585 | Unverifiable contact identity at real company |