An Encrypted Attachment, an Empty Body, and a Scanner That Couldn't Look Inside

A compromised Microsoft 365 account was used to send a blank-bodied email with a 540KB encrypted RPMSG attachment and High Importance flags to a forensic engineering firm; because the RPMSG was encrypted, automated scanners returned a misleading "clean" verdict while authentication checks (SPF/DKIM/DMARC/ARC) passed, creating a functional blind spot that enabled credential-harvesting/social-engineering. Themis flagged the message based on structural anomalies, and the report recommends treating encrypted attachments from external senders as elevated risk and shifting detection to behavioral analysis.