The email came from noreply@wipo[.]int. SPF passed. DKIM passed. DMARC passed. The sending IP was 193[.]5[.]93[.]4, which resolves to mx1.wipo.int, a mail server operated by the World Intellectual Property Organization. The message was not spoofed. It was not forged. It passed every authentication check because it was genuinely sent through WIPO infrastructure. The attached PDF was clean. And the entire thing was social engineering.
The email was a short formal notice referencing International Registration No. 1742546. It used a generic salutation ("Dear Sir, Madam,"), included a WIPO-style signature block with the Geneva headquarters address, and directed the recipient to open the attached notification (letter.pdf). Two links in the body pointed to legitimate WIPO documents on wipo.int.
The PDF was one page. Static analysis found no JavaScript, no interactive form fields, no embedded URLs, no executable content. Antivirus returned clean. Sandbox detonation had nothing to detonate. The document contained cancellation and payment language formatted to match WIPO's Madrid System correspondence, referencing the specific registration number and the named holder.
Every technical indicator said this message was safe.
The danger was not in the code. It was in the content. A trademark cancellation notice from an intergovernmental organization carries institutional authority that most recipients will not question. The instruction to "refer to the attached notification" moves the recipient from reading to acting, and the cancellation framing creates urgency without using the crude "your account will be locked" language that spam filters catch.
If the recipient acted on the notice, whether by calling a number, wiring a payment, or replying with sensitive information, the compromise would happen entirely outside the email channel. No link click. No credential form. No malware execution. The attack surface was the recipient's trust in the institution, not their browser.
Authentication passed because the infrastructure was legitimate. The PDF was clean because it contained no technical payload. The links went to real WIPO pages. There was nothing for a scanner to flag. This attack existed in a blind spot where technical controls have no visibility: the gap between "this message is authenticated" and "this message is legitimate" and "this message is not impersonation."
Multiple recipients and community members flagged this message independently, and IRONSCALES mitigated it through behavioral and community signals rather than technical indicators.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender Domain | wipo[.]int | Legitimate WIPO infrastructure |
| Sender Email | noreply@wipo[.]int | Authenticated, SPF/DKIM/DMARC pass |
| Sending IP | 193[.]5[.]93[.]4 | mx1.wipo.int mail server |
| Attachment | letter.pdf (1 page) | No JS, no forms, no embedded URLs |
| PDF Hash (MD5) | f09da7401fbbd43350c5d49ca31e996b | Clean static analysis |
| PDF Hash (SHA-256) | 23a4fb206cd47380a4033cded4adc29ccef7ff9ac276b068b851594d2903001d | Clean static analysis |
| Registration Reference | International Registration No. 1742546 | Cancellation/payment social engineering |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Attachment | T1566.001 | PDF attachment as social engineering delivery |
| Masquerading: Match Legitimate Name or Location | T1036.005 | WIPO institutional formatting and registration reference |
| Phishing for Information: Spearphishing Link | T1598.003 | Prompts action through a separate channel |
| Attack | What happened |
|---|---|
| The Partner Invite That Used the Wrong Sending Domain | A calendar invite appeared to be from an IRONSCALES employee arranging an ANZ distribution call. |
| The Subdomain That Fused Two Trusted Brands Into One Convincing Lie | Attackers fused two real brand names into a single subdomain, routed the message through Zix infrastructure to inherit enterprise authentication. |
| The Webinar Invite That Came With an Apple Wallet Pass and a Three-Hop Redirect Chain | A Google Calendar invite for a fake AI webinar passed full authentication and carried an .ics file, an Apple Wallet .pkpass. |
| The Bank Statement You Had to Unlock With Your Birthday: PII-Gated PDF Evasion From Authenticated Infrastructure | A fully authenticated email from banking infrastructure delivered a password-protected PDF that required the recipient's mobile number and date of birth... |
| The Flow Failure Alert That Came From the Wrong Tenant | An attacker spoofed a Microsoft Power Automate flow failure alert using a test tenant subdomain that nearly matched the target's production domain. |