The PDF Scanner Couldn't Open the Attachment (But the Victim Could)

TL;DR: A spearphishing email impersonating the Georgia Department of Education delivered a password-protected PDF (112,382 bytes) with the passcode provided in the email body (0937728736), enabling a human recipient to open the encrypted payload while automated scanners, unable to decrypt the file, returned clean verdicts; IRONSCALES flagged and quarantined the message. The report provides IOCs (sender domain and email, attachment name and MD5 hash, embedded image hash, linked domains), maps the behavior to MITRE ATT&CK techniques T1566.001 and T1027, and emphasizes the need for context-aware detection beyond static file scanning.