Wire Transfer PDF Invoice Passes DLP Gateway with Full Email Authentication

What Happened

A financial advisory firm sent what appeared to be a routine wire transfer invoice for $125,400. The email passed through a Check Point/Avanan DLP gateway without triggering a single alert. SPF, DKIM, and DMARC all returned passing results. The sender domain has been registered for over 20 years, placing it well outside the window where age-based heuristics would raise concern.

The attached PDF contained JP Morgan Chase routing number 021000021 and an account ending in ...3766. It carried no JavaScript, no embedded links, and no AcroForms. From a payload perspective, every scanner that inspected this file saw a clean document. The fraud was entirely social: a convincing invoice with real banking details, sent to prompt a wire transfer to an account controlled by the attacker.

Why It Matters

DLP gateways are built to catch data exfiltration and malicious payloads. When the payload is a static PDF with legitimate banking formatting and no executable content, DLP has nothing to intercept. The same applies to email authentication protocols. SPF, DKIM, and DMARC confirmed that the sending server was authorized for the domain. They did their job. The problem is that authentication answers "who sent this" but never "should you trust what they are asking you to do."

This is where behavioral signals become critical. The sender had never communicated with the target organization before. That single data point, first-time sender from an external domain requesting a six-figure wire transfer, is the highest-value signal in the entire email. No gateway evaluated it.

How IRONSCALES Caught It

Adaptive AI email security flagged this message through first-time sender analysis combined with community intelligence. While the PDF was clean and the authentication was flawless, the behavioral profile of the communication was anomalous. A new sender, a high-dollar payment request, and banking details embedded in a static PDF triggered escalation before the invoice reached the finance team.

The combination of sender reputation analysis, organizational communication history, and cross-tenant pattern matching surfaced what no single-layer gateway could detect on its own.

See Your Risk. Run a free phishing simulation to find out how many invoice fraud emails would reach your finance team today.

Indicators of Compromise

MITRE ATT&CK Mapping