The Spreadsheet With No Macros and One Hidden Link: External Relationships in Office XML

- A spear-phishing email from a legitimate construction domain delivered an Excel file with no macros; the .xlsx contained external relationship entries in workbook.xml.rels and sheet1.xml.rels that point to https://thesuccessformula.shop/sol/onetu/index.php, causing Excel to fetch remote content and enabling credential harvesting or further payload delivery. The payload domain resolves to 152.228.223.226 and returns HTTP 200; SPF/DMARC passed for the sending domain, making the message more likely to bypass filters. The report provides IOCs and highlights that structural Office XML features can be abused to evade macro-focused detection.