How Common Email Phishing Payloads Work and Why can’t Automated Malware Analysis Sandboxes Detect Them

Executive Summary

This report documents the analysis of a suspicious file posing as a Microsoft Word document (.docx) that contained no legitimate document content. Instead, the file — a plain ASCII text file with a misleading extension — carried three identical lines embedding a malformed email address wrapped around a Google Search URL pointing to the domain vertex-assets.com. Subsequent investigation of the domain's TLS certificate, sandbox behavior, and infrastructure profile reveals a likely phishing or credential-harvesting operation employing sandbox evasion, Google redirect abuse, and conditional payload delivery — techniques that have surged dramatically across the threat landscape in 2024 and 2025.

The Initial Lure

A .docx That Isn't a .docx

The file arrived with a .docx extension, lending it the appearance of a Microsoft Word document. However, binary analysis immediately revealed the truth: the file was 197 bytes of ASCII text with CRLF line terminators. A genuine .docx is a ZIP archive containing XML — this file contained none of that structure. The misleading extension serves a dual purpose: it may bypass basic file-type filters that key on extension rather than magic bytes, and it lends unearned credibility to the contents within.

The file's entire payload consisted of three identical lines:

The "email address" is syntactically invalid. No legitimate email system would interpret invest@https://www.google.com/search?q=vertex-assets.com as a deliverable address. The construction is designed to present the Google search URL in a context that appears informational — an investment contact — while routing the victim through Google's search infrastructure to discover and visit vertex-assets.com.

Why Google Search as a Redirector?

Embedding a malicious domain inside a Google search URL is a deliberate evasion technique. Security tools, email gateways, and even human reviewers extend implicit trust to google.com domains. A URL beginning with https://www.google.com/search will pass most reputation-based filters without scrutiny. The victim clicks through to Google, sees search results for the target domain, and clicks through organically — a multi-step redirect chain that launders the malicious destination through Google's trusted infrastructure.

This technique has been extensively documented. Cofense Intelligence tracked a significant evolution in Google redirect abuse throughout 2024, observing a transition from Google AMP-based redirects to broader Google URL redirect tactics across multiple quarters. Their Q3 2024 report noted that open redirect usage surged by 627%, while malicious Office documents — particularly .docx files embedded with phishing links — saw usage increase by nearly 600%. The combination of document-based lures with Google redirect chains is now a dominant pattern in the phishing ecosystem.

Infrastructure Analysis

TLS Certificate

Certificate transparency investigation revealed a Let's Encrypt DV certificate issued for www.new.vertex-assets.com — notably a subdomain (new.) of the domain referenced in the original lure.

The 89-day validity is standard for Let's Encrypt automated certificates — threat actors favor Let's Encrypt because it's free, automated, requires no identity verification beyond domain control, and provides browser-trusted TLS that makes malicious sites indistinguishable from legitimate ones at the transport layer. The expired status, combined with the new. subdomain, suggests infrastructure rotation: the operators likely stood up new.vertex-assets.com as a fresh front while the original domain accumulated reputation flags.

Server Profile

Active reconnaissance of the domain revealed a minimal infrastructure footprint: nginx web server on ports 80 and 443 with a PHP backend. This is a textbook profile for phishing infrastructure — lightweight, cheap to deploy, and critically important: PHP enables server-side conditional logic that can serve different content to different visitors based on headers, IP geolocation, user-agent strings, referrer data, and other fingerprinting signals.

Sandbox Analysis

ANY.RUN Results: A Conspicuously Clean Run

Dynamic analysis of vertex-assets.com in the ANY.RUN sandbox environment (Windows 10, Edge browser, AMD Ryzen 5 3500 VM) produced results that were notable for what they didn't show.

Dropped files: Four files, all standard Edge browser artifacts — CdmStorage.db (DRM storage), a temporary profile file, the Last Browser state file, and an EntityExtractionAssetStore.db log. No executable payloads, no scripts, no suspicious downloads.

Network activity: DNS resolution for vertex-assets.com only. All HTTP/HTTPS traffic consisted of routine Edge browser telemetry — Microsoft update checks, Bing content loads, CRL/OCSP certificate validation, Edge extension updates, and Copilot eligibility checks. Zero indicators of C2 communication, data exfiltration, or payload retrieval.

In isolation, this looks benign. In context, it's a red flag.

Why the Sandbox Saw Nothing

Modern phishing kits and exploit frameworks are purpose-built to detect and evade sandbox environments. The ANY.RUN VM carries detectable signatures — known hardware profiles, VM-associated MAC address prefixes, sandbox-specific browser configurations, and timing characteristics that differ from physical hardware. A PHP backend gives the operator full control over what gets served and to whom.

This conditional delivery model is well-documented across multiple phishing-as-a-service (PhaaS) platforms. The Tycoon 2FA kit, one of the most prolific AiTM phishing platforms of 2024–2025, implements this exact pattern: the C2 server analyzes browser fingerprint data to check for sandbox environments, redirecting detected sandboxes to legitimate sites like Tesla or SpaceX while serving the actual phishing payload only to validated human targets. Tycoon 2FA's April 2025 update added extensive browser fingerprinting — collecting screen parameters, console properties, timezone data, and other signals to distinguish real victims from analysis environments.

The Broader Threat Landscape

Google Redirect Abuse at Scale

The technique observed in this sample — routing victims through Google's own infrastructure — is part of a massive and accelerating trend. Throughout 2024 and into 2025, threat actors have systematically abused Google's various services as redirect intermediaries. The attack surface extends well beyond simple search URLs: Google AMP, Google Translate, Google Maps, Google Docs, Google Cloud Storage, and google.com/url redirect endpoints have all been weaponized.

The logic is simple and effective. Secure Email Gateways and URL reputation systems give Google domains high trust scores by default. A phishing link that begins with google.com will sail through filters that would block a direct link to an unknown or flagged domain. By the time the victim clicks through to the actual malicious destination, they've already been laundered through one or more trusted intermediaries.

Integrity360's SOC published analysis in February 2026 specifically documenting the systematic abuse of multiple Google redirect mechanisms in phishing campaigns, confirming that this is not a niche technique but a mainstream operational pattern across threat actor groups of varying sophistication.

The .docx Lure Evolution

The use of a malformed .docx file as the initial delivery mechanism aligns with broader trends in document-based phishing. Cofense's 2024 data showed that malicious Office documents saw a dramatic increase in usage, with .docx files embedded with phishing links or QR codes becoming a preferred vector. The Kroll-documented "CorruptQR" campaign demonstrated an innovative variant: Office documents with deliberately corrupted header information that bypass email security solutions while relying on users to initiate a "recovery" process that triggers the malicious payload.

The sample analyzed here takes a lower-sophistication approach — a plain text file with a fake extension — but the operational concept is the same: use a document container to deliver a URL or redirect chain that would be more scrutinized if delivered as a bare link.

Conditional Payload Delivery: The New Normal

Perhaps the most significant aspect of this analysis is what the sandbox didn't find. The era of "detonate and detect" — submitting samples to sandboxes and relying on observable malicious behavior — is increasingly challenged by conditional delivery systems that detect and evade analysis environments.

Tycoon 2FA's March 2026 takedown by Cloudflare and Microsoft — a massive multi-partner operation targeting the kit's infrastructure — underscores how significant this threat has become. Sandbox analysis confirmed that when anti-analysis measures were passed, the final payload was typically a Microsoft 365 or Gmail credential harvesting page that fingerprinted the victim's browser and geolocation, captured credentials, encrypted the data with AES, and exfiltrated it to a remote C2 server. The stolen credentials were frequently used to facilitate Business Email Compromise (BEC) attacks.

The Investment Scam Angle

The "invest@" prefix in the lure's email address suggests this campaign specifically targets individuals interested in investment opportunities. Investment-themed phishing sits at the intersection of credential theft and financial fraud — victims who navigate to the site may encounter fake trading platforms, fraudulent portfolio dashboards, or credential harvesting pages mimicking legitimate financial services. The investment vertical is particularly attractive to threat actors because victims are pre-selected for financial engagement and are often willing to provide sensitive personal and financial information.

Indicators of Compromise

Recommendations

Conclusion

The vertex-assets sample is individually unsophisticated — a text file with a fake extension isn't going to win any awards for technical innovation. But that's precisely the point. The sophistication in this operation lives in the layers: a trusted Google redirect to launder the URL, a PHP backend to conditionally serve payloads, sandbox evasion to defeat automated analysis, and an investment theme to pre-qualify high-value victims. Each layer is simple; the combination is effective.

This is the direction the phishing ecosystem is heading. The commoditization of PhaaS platforms like Tycoon 2FA means that even relatively unsophisticated operators can deploy multi-layered campaigns with built-in evasion. The old model of "scan the attachment, detonate the URL, block the IOC" is no longer sufficient when the infrastructure itself decides whether to show its hand. Defenders need to think in terms of behavioral patterns and infrastructure fingerprints — not just static indicators — to keep pace with this evolution.