The PDF That Passed Every Scan Without Being Read

A targeted phishing email to a regional healthcare organization used CR/LF control characters in a PDF filename to cause file extraction pipelines to produce a zero-byte decoy while the actual 376 KB PDF payload was stored in a .b64 sidecar and not scanned; authentication signals collapsed across relays, IRONSCALES detected the message via behavioral and authentication anomalies, and the report provides IOCs and mitigation steps such as auditing filename control-character handling, layering authentication into attachment risk scoring, and decoding/scanning base64 sidecars.