The Fire Safety Spec That Was Hiding Malware for Five Months

Attackers planted a malicious PDF (hosted under /wp-content/uploads on a compromised glotest.com WordPress site) inside a legitimate multi-month B2B email thread; the single malicious URL persisted across replies for ~5 months and was eventually flagged by IRONSCALES with 90% AI confidence, triggering quarantine. The report maps the activity to phishing/drive-by compromise techniques and recommends scanning full quoted thread history, retrospective URL rescanning, and heightened suspicion for WordPress-hosted uploads.