4 min read By Excello Mail Team

A Spoofed Legal Email, a Fake Mimecast Folder, and CrownX Ransomware: Inside the Avalon Framework

Blackpoint Cyber's Adversary Pursuit Group uncovered Avalon, a modular malware framework delivered through a spoofed legal document email and an ISO image disguised with a fake Mimecast folder, that ends in CrownX ransomware targeting backup systems. The malware is sloppy. The email that got it in the door is the part worth studying.

Researchers at Blackpoint Cyber’s Adversary Pursuit Group have published details on a previously undocumented malware framework they are calling Avalon, a modular toolkit that bundles credential theft, lateral movement, remote access, backup sabotage, and ransomware execution into a single delivery chain. The ransomware component has been internally named CrownX. According to the researchers, the entire operation shows signs of AI-assisted development, with components assembled quickly and with little regard for operational security. That detail matters less than how the chain gets started.

The attack begins with a spoofed legal document email directing the recipient to a password-protected archive hosted on Proton Drive. Instead of attaching malicious content directly, where an email gateway’s attachment scanner might catch it, the payload is buried inside an ISO image. Once mounted, the ISO presents a document-styled shortcut alongside a folder labeled “Mimecast Secure File Logs,” a fabricated artifact designed to look like the kind of secure-file audit trail a real email security vendor would produce. The actual malicious file sits in an MSBuild project disguised with a .tmp extension. Opening the shortcut launches that project, which loads a .NET assembly that tampers with Event Tracing for Windows to blind security tooling before fetching the next stage.

The Malware Is the Least Interesting Part

Every technical write-up on Avalon focuses, understandably, on the ISO smuggling, the ETW interference, and CrownX’s ability to disable backup and recovery systems before encrypting. That is the part security teams can patch, detect, or sandbox around. But none of it runs unless the spoofed legal document email gets opened first. The entire multi-stage chain, credential theft, lateral movement, ransomware, all of it, depends on one message clearing a mail gateway and convincing a recipient it came from somewhere legitimate. Strip away the malware framework and what is left is a phishing email built to impersonate correspondence a business would normally trust without a second look.

Borrowing a Security Vendor’s Name to Sell the Lie

The choice to label a decoy folder “Mimecast Secure File Logs” is not incidental. It borrows credibility from a brand recipients associate with email security itself, betting that a name synonymous with protection will lower the guard of someone who has already opened the archive. This is the same logic behind every brand impersonation campaign that spoofs a bank, a shipping carrier, or a software vendor: familiarity reduces scrutiny. The folder name only has to survive a glance.

What Would Have Stopped This Before the Malware Ever Ran

Here is the part that belongs on every domain owner’s radar. If the spoofed legal document email used the exact From domain of a real law firm or business partner rather than a look-alike, a DMARC policy enforced at p=reject on that domain would have caused the message to be rejected during the SMTP transaction, before it reached an inbox, before the ISO was ever mounted, before CrownX ever had a chance to disable a single backup. None of the malware’s sophistication, or lack of it, would have mattered, because the email carrying it would never have arrived. DMARC enforcement does not detect ISO smuggling or fake vendor folders. It does not need to. It removes the delivery vehicle before any of that comes into play.

That distinction is worth sitting with. Avalon’s authors clearly invested effort in defense evasion once the payload is running, evading Defender, SentinelOne, CrowdStrike, and half a dozen other endpoint tools by name. They invested comparatively little in making the malware itself elegant. The AI-assisted, slapped-together nature of the framework is exactly why the email had to work so hard to get the ISO opened in the first place, and exactly why domain-level authentication, which stops the email regardless of what is inside it, remains the highest-leverage control available.

The Takeaway

Sophisticated ransomware chains still start the same way most of them always have: an email that looks like it came from somewhere the recipient trusts. The technical creativity inside the ISO does not change that fact, it just raises the stakes for what happens if the email gets through. Enforcing DMARC on your own domains does not stop attackers from registering look-alikes, but it does stop anyone from using your exact domain to deliver the next Avalon-style lure to your customers, your partners, or your own staff.


Sophisticated malware only matters after a spoofed email gets past your defenses. Sign up for free to Excello Mail and enforce DMARC on your domains so an exact impersonation of your business is rejected before it ever reaches an inbox.