The Trademark Cancellation Notice That Passed Every Authentication Check Because WIPO Actually Sent It

The email came from noreply@wipo[.]int. SPF passed. DKIM passed. DMARC passed. The sending IP was 193[.]5[.]93[.]4, which resolves to mx1.wipo.int, a mail server operated by the World Intellectual Property Organization. The message was not spoofed. It was not forged. It passed every authentication check because it was genuinely sent through WIPO infrastructure. The attached PDF was clean. And the entire thing was social engineering.

The Notice That Looked Exactly Right

The email was a short formal notice referencing International Registration No. 1742546. It used a generic salutation ("Dear Sir, Madam,"), included a WIPO-style signature block with the Geneva headquarters address, and directed the recipient to open the attached notification (letter.pdf). Two links in the body pointed to legitimate WIPO documents on wipo.int.

The PDF was one page. Static analysis found no JavaScript, no interactive form fields, no embedded URLs, no executable content. Antivirus returned clean. Sandbox detonation had nothing to detonate. The document contained cancellation and payment language formatted to match WIPO's Madrid System correspondence, referencing the specific registration number and the named holder.

Every technical indicator said this message was safe.

What Made It Dangerous

The danger was not in the code. It was in the content. A trademark cancellation notice from an intergovernmental organization carries institutional authority that most recipients will not question. The instruction to "refer to the attached notification" moves the recipient from reading to acting, and the cancellation framing creates urgency without using the crude "your account will be locked" language that spam filters catch.

If the recipient acted on the notice, whether by calling a number, wiring a payment, or replying with sensitive information, the compromise would happen entirely outside the email channel. No link click. No credential form. No malware execution. The attack surface was the recipient's trust in the institution, not their browser.

Why Gateways Cannot Catch This

Authentication passed because the infrastructure was legitimate. The PDF was clean because it contained no technical payload. The links went to real WIPO pages. There was nothing for a scanner to flag. This attack existed in a blind spot where technical controls have no visibility: the gap between "this message is authenticated" and "this message is legitimate" and "this message is not impersonation."

Multiple recipients and community members flagged this message independently, and IRONSCALES mitigated it through behavioral and community signals rather than technical indicators.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping