logo

The Invoice Email With No Text to Scan: Image-Only Payload From a Compromised Account With a Broken ARC Chain

ID: cf1e3747-9c7a-56df-9267-312f1a4feac3

STIX ID: report--cf1e3747-9c7a-56df-9267-312f1a4feac3

Feed Name: IRONSCALES

Threat Score
68/100

Date Published: 2026-06-10

Date Updated: 2026-06-10

Author: [email protected] (Audian Paxson)

...
...

An attacker used a compromised vendor account to send an image-only PNG 'ACH payment' invoice to a global flavoring company's accounts receivable team, evading text-based scanners. Final-hop authentication showed SPF/DKIM/DMARC pass while original authentication showed no DKIM/DMARC and ARC validation returned cv=fail, indicating the message was signed by forwarding infrastructure rather than originating with a legitimate DKIM signature; behavioral detection (Themis) flagged the message and quarantined a mailbox. Indicators include the sender [email protected], attachment image002.png (63,801 bytes), and authentication discrepancies; MITRE mappings include T1566.001, T1078, and T1036.005.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.