My compliance inbox was leaking my IP+UA to an attacker for two months — the missing HTML escape in a 1099-NEC notification email

Bea (37), compliance ops engineer at Synaltix LLC in Albuquerque, opens a Monday 1099-NEC threshold alert email. At 11:42 a Recon-NG outbound monitoring rule fires: HTTP GET to `cdn.fastservedelivery[.]com` from her IP, originated in Gmail. Forensic: a malicious affiliate signed up with `full_name = "<img src=//evil/track.png>"`. When YTD crossed $612, the daily 1099-scan cron fired the alert email → Gmail rendered HTML body → image-load → the attacker's CDN logged Bea's corp VPN IP + Brave 1.66.115 UA + open timestamp. Compliance inbox retention is 7-30 years — once leaked, irrevocable. **PR #635 batch III F3** fix: `escapeHtml()` every interpolation. Subject lines stay plaintext (RFC 5322/2047). Pattern: outbound HTML email = escape EVERY user-controlled `${var}`; compliance inbox must not be a weaker security boundary than the customer browser.

Related articles