The $47,320 Invoice That Came With a W-9 and a Personal Bank Account

**Executive Summary:** Attackers sent a fabricated $47,320 invoice and a completed IRS W-9 from an SES-backed throwaway domain instructing payment to a personal bank account; the emails passed authentication on the original hop but failed on a downstream relay (creating mixed SPF/DKIM/DMARC signals), attachments were clean HeadlessChrome-generated PDFs to evade sandbox detection, and responses were routed to a typosquatted domain with instructions to forward remittance confirmations to a mailbox with DMARC p=none. IoCs (sender/reply domains, sender/relay IPs, invoice and account identifiers) and MITRE technique mappings are provided to support detection and response.