The Attachment Inside the Attachment: How Nested RFC822 Messages Evade Parser-Based Detection

A targeted phishing email delivered a nested message/rfc822 attachment (76,583 bytes) with CR/LF characters injected into the filename to exploit parser inconsistencies across email security tools; a second delivery-status attachment was unretrievable for inspection, the sending domain published DMARC with p=none, and IRONSCALES' behavioral detection quarantined the message before the nested payload could be opened.