The Spreadsheet That Arrived Twice: CR/LF Filename Obfuscation and a Base64 Shadow Payload

A phishing email delivered an XLSX attachment whose filename contained embedded CR/LF control characters, causing the extraction pipeline to produce a zero-byte artifact while the actual 557,952-byte payload existed as a companion .b64 file; initial SPF/DKIM/DMARC passed at the SocketLabs relay but were invalidated after rewrite by a Cisco IronPort gateway, ARC failed, the sender could not be verified, and the mailbox was quarantined.