The Invoice Email With No Text to Scan: Image-Only Payload From a Compromised Account With a Broken ARC Chain
ID: cf1e3747-9c7a-56df-9267-312f1a4feac3
STIX ID: report--cf1e3747-9c7a-56df-9267-312f1a4feac3
Feed Name: IRONSCALES
An attacker used a compromised vendor account to send an image-only PNG 'ACH payment' invoice to a global flavoring company's accounts receivable team, evading text-based scanners. Final-hop authentication showed SPF/DKIM/DMARC pass while original authentication showed no DKIM/DMARC and ARC validation returned cv=fail, indicating the message was signed by forwarding infrastructure rather than originating with a legitimate DKIM signature; behavioral detection (Themis) flagged the message and quarantined a mailbox. Indicators include the sender [email protected], attachment image002.png (63,801 bytes), and authentication discrepancies; MITRE mappings include T1566.001, T1078, and T1036.005.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
