The email had no body. No links. No attachments. No signature. The only visible content was the organization's own external-sender warning banner: "External Sender: Use caution with links and attachments. Verify all information." Below that, nothing.
It arrived from artistxdump[@]gmail[.]com with a display name that had no connection to the target organization. SPF passed. DKIM passed with a valid gmail.com signature. DMARC passed. Every cryptographic authentication check confirmed that the message was legitimately sent through Google's infrastructure. From a technical authentication standpoint, the email was clean.
The message was BCC'd to multiple VIP mailboxes within a single government services organization. The recipients included senior leadership, exactly the kind of addresses that would be valuable for a follow-up business email compromise campaign. Exchange's filtering stack classified it as spam (SCL=5) and quarantined the message, but the delivery attempt itself had already generated the intelligence the attacker needed.
A zero-payload email is not a failed attack. It is the opening move of a multi-stage campaign. The logic is straightforward: send an empty message to a list of target addresses and observe the results.
Mailboxes that accept the message without generating a bounce confirm that the address is active and deliverable. Non-Delivery Reports (NDRs) from invalid addresses reveal which mailboxes do not exist, helping the attacker prune their target list. Auto-replies, if configured, leak additional intelligence: out-of-office messages expose names, titles, alternate contacts, and travel schedules. Even the quarantine action itself provides a signal. If the attacker is monitoring delivery receipts or read receipts (available in some email configurations), quarantine versus inbox delivery tells them something about the organization's security posture.
The BCC distribution method is significant. Each recipient sees only their own address in the To or CC field. They have no way to know that the same empty message was sent to a dozen of their colleagues. This makes the reconnaissance invisible at the individual level. Only a security team reviewing mail flow logs across the organization would notice the pattern.
The sending account, artistxdump[@]gmail[.]com, is a disposable Gmail address. Creating one costs nothing and takes minutes. Because Gmail provides full SPF, DKIM, and DMARC authentication for every outbound message, the attacker inherits Google's domain reputation without any infrastructure investment. The sending IP 2607:f8b0:4864:20::102e resolved to mail-pj1-x102e.google.com, a standard Google mail server.
See Your Risk: Calculate how many threats your SEG is missing
This attack maps to MITRE ATT&CK T1589.002 (Gather Victim Identity Information: Email Addresses) for the mailbox validation objective, and T1598 (Phishing for Information) for the broader reconnaissance intent.
Content-based email filters analyze text, links, and attachments to determine whether a message is malicious. When all three are absent, the filter has nothing to work with. The message technically contains no threat indicators because the threat is the message itself, not anything inside it.
Themis, our Adaptive AI, evaluated this message against behavioral baselines rather than content signatures. A first-time external sender distributing an empty message via BCC to multiple VIP recipients within the same organization is a pattern that deviates sharply from normal correspondence. The sender risk level was flagged as high based on the combination of zero prior history, free email provider, and executive-targeting distribution.
Community intelligence across the platform tracks patterns like these at scale. Disposable Gmail accounts targeting VIP mailboxes with empty payloads appeared in clusters during this period, suggesting a coordinated reconnaissance campaign rather than isolated probing.
Research shows that 67.5 phishing emails per 100 mailboxes per month bypass traditional secure email gateways. Zero-payload messages represent a particularly difficult subset because they exploit a fundamental assumption in most filtering architectures: that malicious emails contain something identifiably malicious.
Organizations should treat empty emails from unknown external senders as potential reconnaissance, particularly when they target multiple internal recipients. Specific defensive measures include:
| Indicator | Type | Context |
|---|---|---|
artistxdump[@]gmail[.]com | Email (From/Return-Path) | Disposable Gmail sender account |
2607:f8b0:4864:20::102e | IPv6 | Sending IP, rDNS: mail-pj1-x102e.google.com |
| SCL=5, SFV:SPM | Exchange classification | Spam classification, quarantine action |
| Attack | What happened |
|---|---|
| The Marketing Email That Forgot to Fill In Its Own Template | A phishing email arrived with the recipient's address still inside an unsubstituted template variable in the greeting. |
| A Woodworking Class Receipt That Nobody Signed Up For: Bounce Tokens as Mailbox Recon | A bilingual Acuity Scheduling payment receipt passed SPF, DKIM, and DMARC with a REJECT policy. |
| The Datadog Alert That Came From the Wrong Domain: Authenticated Brand Impersonation With All Links Pointing to Real Infrastructure | A fully authenticated Datadog monitor alert arrived from dtdg.co, not datadoghq.com. |
| Six Words, No Payload: How a Fabricated Gmail Thread Turned a Law Firm Into a Reconnaissance Relay | A six-word email with zero links and zero attachments passed authentication by routing through a legitimate law firm's Mimecast gateway. |
| The Web Design Pitch That Routed Through a Mailing List Nobody Subscribed To | A vendor-scam email was sent via a Gmail account but routed through a Google Groups mailing list on a privacy-protected domain registered seven months... |