TL;DR A first-time sender using a Gmail address (complainforindividual@gmail[.]com) sent a professionally written anonymous complaint to two named employees at a state government health agency. The email alleged professional misconduct by a specific individual and requested three sensitive actions: review of Jira audit and history logs, review of internal Teams communications for the prior one to two months, and confidential one-on-one interviews with current and former team members. SPF, DKIM, DMARC, and ARC all passed through Google and Microsoft infrastructure. The email contained zero links, zero attachments, and zero credential requests. The entire attack was the text itself, designed to manipulate institutional complaint-handling processes into exposing PII, internal operations data, and confidential personnel information without any technical exploit. IRONSCALES flagged the message through behavioral analysis, identifying the first-time sender anomaly, the external origin of an internal complaint, and the scope of sensitive data being requested.
Severity: High Social Engineering Bec Data Exfiltration MITRE: {'id': 'T1598', 'name': 'Phishing for Information'}
The email had no links. No attachments. No credential harvesting page. No payment demand. No malware. SPF, DKIM, DMARC, and ARC all passed through Google and Microsoft infrastructure. The sender was a first-time contact using a free Gmail address, presenting an anonymous complaint.
Every technical control returned clean because there was nothing technical to evaluate. The entire attack was the text itself, designed to trigger an institutional response that would expose internal data the sender had no right to access.
A Complaint Engineered to Extract Data
The email was addressed to two employees at a state government health agency, both named directly in the greeting. The sender identified themselves as a "Concerned Team Member / Anonymous" and alleged professional misconduct by a specific individual within the organization. The tone was professional, the grammar mostly clean, and the formatting followed what an internal complaint might look like.
The substance of the email was three explicit requests:
- Review Jira audit and history logs for the named individual
- Review internal communications (Teams) for the prior one to two months
- Conduct confidential one-on-one interviews with current and former team members
Each request targeted a different category of sensitive data. Jira logs would reveal project assignments, ticket histories, and internal workflows. Teams transcripts would expose private communications and confidential personnel matters. Employee interviews would surface organizational intelligence that lives nowhere in any system.
If the recipients complied, the organization's own complaint-handling process would deliver the data. No account compromise, no tools deployed, no vulnerabilities exploited.
This maps directly to MITRE ATT&CK T1598: Phishing for Information. The adversary sent a message designed to elicit sensitive information from the target. No credential theft, no malware delivery. Just a request, framed as a legitimate internal concern, intended to manipulate the recipients into sharing data they would never share with an unknown external party.
Full Authentication Pass, Zero Detection Surface
The email originated from complainforindividual@gmail[.]com and transited Google infrastructure before reaching the target organization through Microsoft:
| Check | Result | Detail |
|---|
| SPF | Pass | Google IP 2a00:1450:4864:20::52d |
| DKIM | Pass | header.d=gmail[.]com |
| DMARC | Pass | header.from=gmail[.]com |
| ARC | Pass | Validated through Google and Microsoft hops |
Every check returned clean because every check was evaluating the right question: did this email come from an authorized Gmail server? It did. Gmail's infrastructure is not compromised. Authentication is doing exactly what it was designed to do.
The problem is that authentication answers "who sent this?" but not "why did they send it?" A fully authenticated email from a free provider, sent by a first-time contact, requesting Jira logs and Teams transcripts from a government agency, is a high-risk event that no authentication protocol is designed to evaluate.
The FBI IC3 2024 Internet Crime Report documented over $2.9 billion in BEC losses for the year. This attack does not fit the classic BEC pattern of payment diversion, but it exploits the same fundamental gap: the assumption that a professionally written email from an authenticated sender represents a legitimate request.
See Your Risk: Calculate how many threats your SEG is missing
Why Institutional Process Is the Attack Vector
Government health agencies operate under regulatory obligations that attackers can weaponize. When a complaint alleges misconduct, there are often formal requirements to investigate, triggering HR processes, compliance reviews, or supervisory actions with their own timelines and documentation requirements.
The email included an external sender warning banner and a "Don't often get email from" notice. Both are standard Microsoft protections for first-time senders. But when the email content aligns with a process the recipient is trained to follow, those warnings compete against institutional reflexes. A complaint about a colleague, addressed by first name, requesting actions within normal supervisory responsibilities, creates cognitive pressure to respond rather than question the source.
This is the gap that business email compromise protection addresses. The attack does not need to bypass a firewall, evade a sandbox, or trick a URL scanner. It needs one recipient to treat an external email as an internal complaint and act accordingly.
What Behavioral Detection Caught
There was nothing for content-based scanning to flag. No malicious URLs to detonate. No attachments to sandbox. No known-bad indicators to match. Any gateway would score it clean.
IRONSCALES Adaptive AI identified the risk through behavioral signals outside the scope of content analysis:
First-time sender to the organization. The Gmail address had no prior communication history with either recipient. An anonymous internal complaint arriving from an external address that has never contacted the organization is a contradiction that behavioral baselines expose immediately.
External origin for an internal matter. The email presented itself as coming from a "Concerned Team Member" but arrived from outside the organization's domain. The human element in email security catches exactly this kind of contextual mismatch: the claim does not match the channel.
Disproportionate data requests. The three requested actions (Jira logs, Teams transcripts, employee interviews) represent a scope of data access that would normally require formal authorization, not an anonymous email. The breadth of the request is itself a signal that behavioral analysis can weight even when every other indicator is clean.
What Defenders Should Take From This
This case strips the social engineering problem to its most fundamental form. A free Gmail account, a professionally written email, and three requests that would expose an organization's internal operations if fulfilled.
Zero-payload attacks bypass every content-based control. If there is no link to scan, no attachment to detonate, and no credential page to classify, content-based detection has no input to evaluate. The attack surface is the text itself, and the exploit is the recipient's response.
Institutional processes are attack vectors. Complaint-handling procedures, HR investigation protocols, and regulatory obligations create predictable behaviors that attackers can trigger with the right pretext. Organizations should require identity verification before acting on any complaint that requests access to internal systems or communications.
Behavioral baselines catch what authentication cannot. A first-time external sender claiming to be an internal team member, requesting Jira logs and Teams transcripts via an anonymous Gmail account, generates behavioral signals that authentication-only defenses cannot evaluate.
MITRE ATT&CK Mapping
| Technique | ID | Relevance |
|---|
| Phishing for Information | T1598 | Email designed to elicit sensitive internal data through social engineering, not credential theft or malware delivery |
Indicators of Compromise
| Indicator | Type | Context |
|---|
complainforindividual@gmail[.]com | Sender address | First-time sender, free Gmail account used for anonymous complaint |
| SPF: pass, DKIM: pass, DMARC: pass, ARC: pass | Authentication | Full authentication pass via Google infrastructure, no spoofing detected |
| Display name: "Complaint" | Sender metadata | Generic display name with no personal attribution |
| Requests for Jira logs, Teams transcripts, employee interviews | Behavioral | Disproportionate data access requests inconsistent with anonymous complaint |
| "Concerned Team Member / Anonymous" | Signature | Self-identified as internal while sending from external address |
| First-time sender: true | Behavioral | No prior communication history with either recipient |
| External email warning banner triggered | Behavioral | Microsoft flagged as first-time external contact |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
