TL;DR A Spanish-language phishing email impersonating a major insurance provider delivered an 84 KB PDF containing interactive AcroForm fields and obfuscated JavaScript with auto-execute tokens (/JS and /AA). Every visible link pointed to legitimate brand domains but resolved to SendGrid tracking redirects. An unrendered template placeholder exposed the bulk-mail tooling behind the campaign. SPF, DKIM, and DMARC all passed because the attacker controlled the authenticated sending domain. IRONSCALES flagged the attack at 82% confidence using behavioral analysis of language structure and delivery anomalies.
Severity: High Brand-Impersonation Malicious-Attachment Credential-Theft MITRE: T1566.001 MITRE: T1204.002 MITRE: T1059.007
An 84 KB PDF passed every email authentication check, landed in a business mailbox, and carried obfuscated JavaScript with auto-execute tokens buried inside interactive form fields. The email impersonating a joint insurance venture looked like a routine claim resolution notice. It was not.
The attached document, CartaCierreSolicitud.pdf, contained an AcroForm with pre-filled policy data and compressed JavaScript streams at byte offset ~81,582. The /JS and /AA tokens meant the script could fire the moment the PDF was opened in a standard reader. Antivirus engines marked it clean.
A Template Failure Exposed the Bulk-Mail Machine
The email's Spanish-language body informed the recipient that a request to change a bank account number on an insurance policy had been processed. It referenced a specific folio number, used professional Santander branding pulled from a third-party image host (zurichsantander.deyel[.]com), and directed the recipient to review the attached PDF for details.
Everything about the message was designed to look transactional. Generic greeting ("Apreciable cliente:"), a legitimate-sounding support hotline, privacy policy references, and a sign-off from the real insurance entity's name. But the footer gave it away: an unrendered template placeholder, |.TrSite.EMAIL.|, sat in plain text where the recipient's email address should have appeared.
That single token confirmed this was a bulk campaign built on marketing automation infrastructure, not a one-to-one insurance communication. The template engine failed to substitute the variable, leaving a fingerprint of the mass-mailing system behind the attack.
SendGrid Wrapping Hid Every Destination
Both visible links in the email body displayed authoritative brand domains. One showed the insurance provider's site. The other showed the banking partner's site. Neither link actually pointed to those destinations.
Every href resolved to u22037540.ct.sendgrid[.]net/ls/click?upn=..., a SendGrid tracking redirect. The attacker used a SendGrid account (customer ID 22037540) to wrap the real landing page destinations, ensuring that URL reputation filters would encounter a trusted intermediary domain rather than the final target. A tracking pixel from op5.cxsend[.]com and a SendGrid open-tracking GIF completed the surveillance layer.
This is a well-documented evasion pattern. According to the Verizon DBIR 2024, phishing campaigns that exploit trusted infrastructure services to mask malicious URLs have grown significantly as static URL reputation systems become standard. When every link in an email resolves to sendgrid.net, traditional URL and malware protection built on domain blocklists simply does not fire.
See Your Risk: Calculate how many threats your SEG is missing
Authentication Passed Because the Attacker Owned the Keys
The sending domain zurichsantandermexico.com[.]mx had properly configured DNS records. SPF passed (authorized IP 167[.]89[.]23[.]152), DKIM passed (signature verified for the sending domain), and DMARC returned bestguesspass. From an authentication standpoint, this email was legitimate.
But the infrastructure told a different story. The message relayed through o3.ptr3380.cxsend[.]com, a US-hosted server at IP 167[.]89[.]23[.]152. The cxsend[.]com domain was registered through Wild West Domains in May 2021 and uses Cloudflare nameservers. It is not a recognized enterprise email gateway. The Reply-To header pointed to a different domain entirely (santander.com[.]mx), creating a mismatch between the authenticated From domain and the reply path.
The FBI IC3 2024 report documents billions in losses from business email compromise and brand impersonation, with authentication-passing attacks representing a growing share. This case illustrates exactly why email authentication protocols alone cannot serve as a trust signal. They verify infrastructure authorization, not sender intent.
The PDF: Forms, Fields, and Hidden Scripts
The real payload was the attachment. Static analysis of CartaCierreSolicitud.pdf (84,567 bytes) revealed several concerning elements layered together.
Interactive AcroForm fields were pre-filled with case-specific data: a date ("07 de abril de 2026"), a service type ("CAMBIO DE NUMERO DE CUENTA"), a policy endorsement number, and a policy ID. Pre-filling form data with plausible details is a trust-building technique. Recipients who see their (apparent) policy number are far more likely to interact with the document.
Compressed JavaScript streams containing /JS and /AA tokens were detected at byte offset ~81,582. The /AA (Additional Actions) dictionary can trigger JavaScript execution on document open, page view, or field focus, without requiring the user to click anything beyond opening the file. The streams were compressed, making the script content opaque to surface-level inspection. PyPDF2 analysis flagged javascript_found as true.
Metadata leakage revealed the document was generated by Google Docs Renderer (Skia/PDF m138), and the internal title was PLANTILLA PROCEDENTE (1).docx, meaning "ORIGIN TEMPLATE (1)." A template title inside a supposedly personalized insurance letter is another indicator of mass production.
This combination of credential harvesting techniques, interactive forms for data capture paired with auto-executing scripts for payload delivery, represents a higher level of sophistication than the typical brand-impersonation phish.
How the PDF Chains Three MITRE Techniques
| Technique | ID | Application |
|---|
| Spearphishing Attachment | T1566.001 | PDF delivered via email with social engineering pretext |
| Malicious File Execution | T1204.002 | User opens PDF, triggering AcroForm interaction |
| JavaScript Execution | T1059.007 | Obfuscated /JS and /AA tokens for auto-execution |
Infrastructure Fingerprint
| Type | Indicator | Context |
|---|
| Sending Domain | zurichsantandermexico[.]com[.]mx | Authenticated From domain, SPF/DKIM pass |
| Subdomain (Return-Path) | em6535.zurichsantandermexico[.]com[.]mx | Bounce/envelope sender |
| Reply-To Domain | santander[.]com[.]mx | Mismatched reply-to domain |
| Sender Email | atencionsiniestros@zurichsantandermexico[.]com[.]mx | From address |
| Relay Host | o3.ptr3380.cxsend[.]com | SMTP relay, US-hosted |
| Relay IP | 167[.]89[.]23[.]152 | Sending IP, GeoIP: United States |
| Redirect Domain | u22037540.ct.sendgrid[.]net | SendGrid tracking redirect (acct 22037540) |
| Tracking Pixel | op5.cxsend[.]com | Open-tracking pixel host |
| Image Host | zurichsantander.deyel[.]com | Third-party image/resource host |
| Attachment | CartaCierreSolicitud.pdf (SHA-256: 95b3413da7b8ab587747643e6ed0536e) | 84,567 bytes, AcroForm + obfuscated JS |
| Template Token | `\ | .TrSite.EMAIL.\ | ` | Unrendered bulk-mail placeholder |
What Defenders Should Do With This
Block PDFs with /JS and /AA tokens at the gateway. If your email security stack cannot inspect PDF object streams for JavaScript tokens, you have a gap. Configure attachment policies to quarantine or sandbox PDFs containing interactive form elements and scripting indicators.
Do not trust SendGrid redirect domains implicitly. Build detection logic that unwraps tracking redirects to evaluate the final destination. A link that displays santander.com.mx but resolves to sendgrid.net/ls/click with encoded parameters deserves scrutiny regardless of the intermediary's reputation.
Treat authentication as necessary but insufficient. SPF/DKIM/DMARC passing does not mean the email is safe. Behavioral analysis, the kind that evaluates language patterns, structural anomalies, and delivery context together, catches what authentication alone cannot. The Microsoft Digital Defense Report 2024 reinforces this point: sophisticated attacks routinely pass all three authentication protocols.
Watch for template rendering failures. Unrendered tokens (|.TrSite.EMAIL.|, %MERGE_FIELD%) in email footers are high-confidence phishing indicators. They are trivial to detect with pattern matching and almost never appear in legitimate corporate email.
IRONSCALES Adaptive AI flagged this email at 82% confidence by analyzing the language structure and delivery context together, identifying the behavioral fingerprints of a phishing campaign that every authentication check missed.
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 30,000+ security professionals. Each post breaks down one attack — what it looked like, why it worked, and what you can do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
