The Bank Statement You Had to Unlock With Your Birthday: PII-Gated PDF Evasion From Authenticated Infrastructure

A high-severity spearphishing campaign impersonated a bank using authenticated mail infrastructure (SPF/DKIM/DMARC pass) and a third-party mailer; attackers delivered a password-protected PDF (PDF 1.4) that blocked automated inspection and guided victims to derive the password from PII, while embedded links pointed to a look-alike domain (onlinesbi.com / cms.onlinesbi.com) rather than the legitimate onlinesbi.sbi.bank.in. Themis flagged the message for the PII-gated attachment, domain mismatch, and behavioral signals; the mailbox was quarantined. IOCs include sender alerts.sbi.bank.in, relay d37-smtp-out-in.alerts.sbi.co.in (175.158.69.37), NetcoreCloud/Pepipost mailer, look-alike link cms.onlinesbi.com/CMS/, and attachment XXXXXX71790_A_2026_B9B20KFR.pdf.