When Authentication Passes and Malware Still Walks In: A PE Hidden Inside an Inline PNG
ID: f8092c74-69ab-5341-acf7-4c928451491a
STIX ID: report--f8092c74-69ab-5341-acf7-4c928451491a
Feed Name: IRONSCALES
An onboarding-themed phishing email that passed SPF, DKIM, and DMARC contained an inline PNG (image007.png) whose decompressed IDAT stream held a roughly 6.5 MB Windows PE executable (MZ header at offset 696,056). Because the executable was embedded inside the image's compressed pixel data rather than appended or delivered as an attachment, legacy SEGs that do not decompress and scan IDAT streams missed it; the report provides file hashes and recommends content-aware scanning, decompression of image streams, and anomaly-based sender analysis.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
