Sophisticated Phishing Campaign with Malicious Attachments Targeting Organization

Initial Signal

On February 13, 2026, Microsoft Defender for Office 365 detected a phishing email with the subject "Base SaIary Adjustment 2026 - AnnuaI Compensation Update" sent to user_1@[INTERNAL_DOMAIN_1].local. The email spoofed the same internal address as the sender, originating from IP address [EXTERNAL_IP_1] (Vodafone Libertel B.V. in the Netherlands). The message contained 11 attachments, including a document named "[ORG_1] Salary Adjustment Secure File.docx" and 10 PNG image files with identical hash values. The email exhibited multiple red flags: it failed all authentication checks (SPF:fail, DMARC:fail, DKIM:none), the subject line contained intentional misspellings ("SaIary" and "AnnuaI" instead of correct spelling), and the sender display name "[ORG_1]_General Announcement" attempted to impersonate an official communication channel. File detonation analysis identified at least one attachment as malicious, triggering a "HighConfPhish" classification. Microsoft Defender for Office 365 initially delivered the email but later quarantined it based on antispam high-confidence phishing policy. Investigation across 69 data sources over 2 minutes 41 seconds confirmed this was part of a broader campaign targeting multiple recipients at the organization with similar characteristics.

How We Reached the Verdict

The agent considered each plausible alternative verdict and ruled them out one at a time. Each card below lists the hypothesis tested, the evidence weighed, and the dismissal rationale.

Disconfirming Evidence

Evidence that pushed against the agent's working hypothesis. Each item changed the direction of the investigation.

Evidence Gathered

The agent queried these data sources during the investigation. Each entry shows what was checked, what came back, and the methodology behind the query.

False Positive Analysis

The agent ran these validation checks to confirm the verdict isn't a false positive.

1. fp1
   Verified email authentication status to confirm spoofing
   Pass
2. fp2
   Analyzed attachment content and detection methods
   Pass
3. fp3
   Examined email content for phishing indicators
   Pass
4. fp4
   Evaluated broader campaign indicators
   Pass

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

Verdict Reasoning

The verdict of Malicious at high confidence rests on the following mutually corroborating signals:

1. File detonation analysis by Microsoft Defender for Office 365 confirmed malicious content in at least one attachment, resulting in a "HighConfPhish" classification with malicious verdict

2. Email authentication failures across all protocols (SPF:fail, DMARC:fail, DKIM:none) definitively prove sender spoofing, with the email originating from external IP [EXTERNAL_IP_1] in the Netherlands while claiming to be from internal domain [INTERNAL_DOMAIN_1].local

3. Multiple evasion and social engineering indicators present simultaneously: intentional misspellings in subject line ("SaIary" and "AnnuaI"), impersonation of official communication channel ("[ORG_1]_General Announcement"), and salary adjustment lure designed to entice user interaction

4. Campaign-level evidence shows multiple email clusters with identical characteristics targeting multiple recipients, indicating coordinated malicious activity rather than isolated incident

5. Security controls functioned as designed by quarantining the email after initial delivery, preventing user access to malicious content. Confidence is High rather than Confirmed because the investigation did not capture evidence of actual user interaction with the email or downstream compromise attempts, though the technical indicators of malicious intent are conclusive

Lessons

1. 01
   Intentional misspellings are deliberate evasion, not typos. In this investigation, the subject line 'Base SaIary Adjustment 2026 - AnnuaI Compensation Update' used capital I characters instead of lowercase L in 'Salary' and 'Annual'. These were not accidental—they are a known evasion technique to bypass keyword-based email filters. When reviewing suspicious emails, treat unusual character substitutions as a red flag for intentional obfuscation rather than dismissing them as user error. Implement detection rules that flag subject lines with mixed-case character substitutions, especially in HR-related keywords.
2. 02
   Identical file hashes across multiple attachments signal template reuse. This phishing email contained 10 PNG files with identical hash values alongside a DOCX document. The matching hashes indicate these were not independently created but rather copied from a single template, suggesting the attacker prepared a standardized phishing kit. When investigating emails with bulk attachments, always compare file hashes. Identical hashes across multiple files in a single message are a strong indicator of prepared attack infrastructure rather than legitimate business communication.
3. 03
   Initial delivery does not mean security controls failed. The email was delivered to the inbox before being quarantined based on file detonation results. This brief window between delivery and quarantine is normal—it reflects the time required for sandbox analysis to complete. Do not interpret initial delivery as a control failure. Instead, verify that the quarantine action was taken and assess whether the user accessed the email during the delivery window. In this case, quarantine occurred before user interaction, demonstrating defense-in-depth working as designed.
4. 04
   Campaign clustering reveals scope faster than individual email analysis. This investigation identified multiple email clusters with identical characteristics targeting multiple recipients. By pivoting from the initial alert to email clustering data, analysts can quickly determine whether a single user was targeted or if the organization faced a broader campaign. Always query for related emails using network message IDs and clustering identifiers. A single malicious email is a contained incident; multiple clusters with the same tactics indicate coordinated activity requiring broader remediation and user awareness efforts.
5. 05
   Spoofing plus malicious attachments equals high-confidence verdict. This email combined three independent malicious signals: failed authentication (SPF/DMARC/DKIM), external IP origin, and confirmed malicious file content. No single indicator is sufficient for high-confidence verdict, but the convergence of authentication failure, sender spoofing, and file detonation result creates conclusive evidence. When building detection rules, require multiple corroborating signals rather than relying on any single indicator. This approach reduces false positives while maintaining high confidence in true positives.