The email had no links. No attachments. No credential harvesting page. No payment demand. No malware. SPF, DKIM, DMARC, and ARC all passed through Google and Microsoft infrastructure. The sender was a first-time contact using a free Gmail address, presenting an anonymous complaint.
Every technical control returned clean because there was nothing technical to evaluate. The entire attack was the text itself, designed to trigger an institutional response that would expose internal data the sender had no right to access.
The email was addressed to two employees at a state government health agency, both named directly in the greeting. The sender identified themselves as a "Concerned Team Member / Anonymous" and alleged professional misconduct by a specific individual within the organization. The tone was professional, the grammar mostly clean, and the formatting followed what an internal complaint might look like.
The substance of the email was three explicit requests:
Each request targeted a different category of sensitive data. Jira logs would reveal project assignments, ticket histories, and internal workflows. Teams transcripts would expose private communications and confidential personnel matters. Employee interviews would surface organizational intelligence that lives nowhere in any system.
If the recipients complied, the organization's own complaint-handling process would deliver the data. No account compromise, no tools deployed, no vulnerabilities exploited.
This maps directly to MITRE ATT&CK T1598: Phishing for Information. The adversary sent a message designed to elicit sensitive information from the target. No credential theft, no malware delivery. Just a request, framed as a legitimate internal concern, intended to manipulate the recipients into sharing data they would never share with an unknown external party.
The email originated from complainforindividual@gmail[.]com and transited Google infrastructure before reaching the target organization through Microsoft:
| Check | Result | Detail |
|---|---|---|
| SPF | Pass | Google IP 2a00:1450:4864:20::52d |
| DKIM | Pass | header.d=gmail[.]com |
| DMARC | Pass | header.from=gmail[.]com |
| ARC | Pass | Validated through Google and Microsoft hops |
Every check returned clean because every check was evaluating the right question: did this email come from an authorized Gmail server? It did. Gmail's infrastructure is not compromised. Authentication is doing exactly what it was designed to do.
The problem is that authentication answers "who sent this?" but not "why did they send it?" A fully authenticated email from a free provider, sent by a first-time contact, requesting Jira logs and Teams transcripts from a government agency, is a high-risk event that no authentication protocol is designed to evaluate.
The FBI IC3 2024 Internet Crime Report documented over $2.9 billion in BEC losses for the year. This attack does not fit the classic BEC pattern of payment diversion, but it exploits the same fundamental gap: the assumption that a professionally written email from an authenticated sender represents a legitimate request.
See Your Risk: Calculate how many threats your SEG is missing
Government health agencies operate under regulatory obligations that attackers can weaponize. When a complaint alleges misconduct, there are often formal requirements to investigate, triggering HR processes, compliance reviews, or supervisory actions with their own timelines and documentation requirements.
The email included an external sender warning banner and a "Don't often get email from" notice. Both are standard Microsoft protections for first-time senders. But when the email content aligns with a process the recipient is trained to follow, those warnings compete against institutional reflexes. A complaint about a colleague, addressed by first name, requesting actions within normal supervisory responsibilities, creates cognitive pressure to respond rather than question the source.
This is the gap that business email compromise protection addresses. The attack does not need to bypass a firewall, evade a sandbox, or trick a URL scanner. It needs one recipient to treat an external email as an internal complaint and act accordingly.
There was nothing for content-based scanning to flag. No malicious URLs to detonate. No attachments to sandbox. No known-bad indicators to match. Any gateway would score it clean.
IRONSCALES Adaptive AI identified the risk through behavioral signals outside the scope of content analysis:
First-time sender to the organization. The Gmail address had no prior communication history with either recipient. An anonymous internal complaint arriving from an external address that has never contacted the organization is a contradiction that behavioral baselines expose immediately.
External origin for an internal matter. The email presented itself as coming from a "Concerned Team Member" but arrived from outside the organization's domain. The human element in email security catches exactly this kind of contextual mismatch: the claim does not match the channel.
Disproportionate data requests. The three requested actions (Jira logs, Teams transcripts, employee interviews) represent a scope of data access that would normally require formal authorization, not an anonymous email. The breadth of the request is itself a signal that behavioral analysis can weight even when every other indicator is clean.
This case strips the social engineering problem to its most fundamental form. A free Gmail account, a professionally written email, and three requests that would expose an organization's internal operations if fulfilled.
Zero-payload attacks bypass every content-based control. If there is no link to scan, no attachment to detonate, and no credential page to classify, content-based detection has no input to evaluate. The attack surface is the text itself, and the exploit is the recipient's response.
Institutional processes are attack vectors. Complaint-handling procedures, HR investigation protocols, and regulatory obligations create predictable behaviors that attackers can trigger with the right pretext. Organizations should require identity verification before acting on any complaint that requests access to internal systems or communications.
Behavioral baselines catch what authentication cannot. A first-time external sender claiming to be an internal team member, requesting Jira logs and Teams transcripts via an anonymous Gmail account, generates behavioral signals that authentication-only defenses cannot evaluate.
| Technique | ID | Relevance |
|---|---|---|
| Phishing for Information | T1598 | Email designed to elicit sensitive internal data through social engineering, not credential theft or malware delivery |
| Indicator | Type | Context |
|---|---|---|
complainforindividual@gmail[.]com | Sender address | First-time sender, free Gmail account used for anonymous complaint |
| SPF: pass, DKIM: pass, DMARC: pass, ARC: pass | Authentication | Full authentication pass via Google infrastructure, no spoofing detected |
| Display name: "Complaint" | Sender metadata | Generic display name with no personal attribution |
| Requests for Jira logs, Teams transcripts, employee interviews | Behavioral | Disproportionate data access requests inconsistent with anonymous complaint |
| "Concerned Team Member / Anonymous" | Signature | Self-identified as internal while sending from external address |
| First-time sender: true | Behavioral | No prior communication history with either recipient |
| External email warning banner triggered | Behavioral | Microsoft flagged as first-time external contact |
| Attack | What happened |
|---|---|
| No Links. No Attachments. Just a Polite Request for Every Employee's W-2. | An email requesting complete W-2 forms for all employees contained zero links, zero attachments, and zero malicious indicators. |
| Perfect Authentication, Zero Payload: The Yahoo Free-Mail BEC That Microsoft Flagged but Didn't Block | A Yahoo free-mail account with perfect SPF, DKIM, and DMARC authentication sent a zero-payload account change request to a state government health agency. |
| Every Authentication Check Passed. The Display Name Was the Weapon. | An attacker impersonated a known contact's display name from an authenticated business domain, embedding a Google Form as the data-collection vehicle. |
| The Payload Was a Phone Number: How a Google Calendar Invite Weaponized Vishing | A Google Calendar invite with a fake $399.77 charge and a toll-free callback number. |
| The Partner Invite That Used the Wrong Sending Domain | A calendar invite appeared to be from an IRONSCALES employee arranging an ANZ distribution call. |