SPF failed. DKIM was absent. DMARC failed against an oreject policy. Composite authentication returned fail. Four separate signals told the mail system this message was not sent by Air Canada.
The message reached the inbox anyway. SCL=-1 in the headers confirmed it: an allow-list overrode every authentication verdict, and a credential harvesting lure landed in front of the recipient without a single filter intervening.
The email arrived at a Canadian nonprofit organization, claiming to be from communications@Mail[.]aircanada[.]com. The subject line read "Aeroplan - You Qualify For A Bonus," and the body offered an 80% bonus on Aeroplan points with a large blue SIGN IN button as the sole call to action.
The sending IP was 60.241.243.250, which reverse-resolved to 60-241-243-250.static.tpgi.com.au, a residential address on Australia's TPG Telecom consumer ISP network. The HELO string was tpgtelecom.com.au. A consumer broadband connection in Melbourne was transmitting email as a Canadian airline's loyalty program.
Air Canada's SPF record for Mail[.]aircanada[.]com authorizes only two /24 CIDR blocks: 172.82.216.0/24 and 172.82.220.0/24, with a hard -all terminator. The Australian IP fell outside both ranges. SPF returned fail. No DKIM signature was present on the message. No DMARC TXT record existed for _dmarc.Mail[.]aircanada[.]com, but the organizational domain's DMARC policy of p=oreject applied. DMARC returned fail. Microsoft's composite authentication check returned compauth=fail.
Every authentication mechanism available returned a negative verdict. And the message was delivered.
The SCL (Spam Confidence Level) header in the delivered message read -1. In Exchange Online, SCL=-1 means the message bypassed spam filtering entirely. This value is assigned when a mail flow rule, IP allow-list, or safe sender entry instructs the system to skip evaluation.
This is the allow-list problem. Organizations build allow-lists to ensure legitimate mail from trusted partners flows without friction. But allow-lists are static trust decisions applied to dynamic threat conditions. An overly broad allow-list entry, one that matches on sender domain rather than authenticated sender identity, will wave through a spoofed message just as readily as a legitimate one.
The Verizon 2025 DBIR found credential theft and phishing remain the top initial access vectors, with brand impersonation among the most effective social engineering tactics. The Microsoft Digital Defense Report 2024 specifically calls out allow-list misconfigurations as a contributor to phishing delivery, noting that administrative overrides frequently undermine the protections that authentication protocols are designed to provide.
The SIGN IN button linked to:
hxxps://islandleighanna-org[.]us[.]stackstaging[.]com/template/images/ntsa/2/h/
The domain stackstaging[.]com is a legitimate web hosting platform's staging environment. The attacker created the subdomain islandleighanna-org as a project space and deployed the credential harvesting page under a /template/images/ path designed to look like a static assets directory. The subdomain resolved to 185.146.165.97. No SPF, DKIM, DMARC, or DNSSEC records existed for the subdomain.
Staging subdomains inherit the TLS certificate and reputation of the parent hosting platform, making them harder for URL scanners to flag. The phishing page is disposable: if the subdomain is reported, the attacker spins up a new project space and deploys an identical kit under a different name.
One additional tell: the email body referenced "spring" travel and "winter trips" despite arriving in November. The phishing kit was recycled from an earlier campaign without updating the seasonal references, a common artifact of kit reuse at scale.
| Technique | ID | Application |
|---|---|---|
| Spearphishing Link | T1566.002 | SIGN IN CTA linking to credential harvesting page on a staging subdomain |
| Impersonation | T1656 | Sender address spoofed as Air Canada's Aeroplan loyalty program. Brand template replicated with logo and formatting |
| User Execution: Malicious Link | T1204.001 | Single-button CTA designed to drive click-through to the credential capture form |
IRONSCALES Themis, the platform's adaptive AI engine, flagged this message at 85% confidence. The primary detection signals were the malicious link verdict on the SIGN IN destination and suspicious wording patterns consistent with phishing templates. The authentication failures reinforced the classification but were not the initial trigger.
The distinction matters. Authentication checks are binary: pass or fail. In this case, every check failed, but the allow-list nullified the result. The detection that stopped the attack was behavioral, not protocol-based. Adaptive AI evaluated the link destination, the wording patterns, and the sender's relationship history with the recipient organization. A human analyst confirmed the verdict based on the geographic mismatch between the sending IP and the claimed brand identity. Post-delivery protection that operates independently of gateway verdicts caught what the allow-list let through.
The FBI IC3 2024 report documented $2.9 billion in BEC losses, with brand impersonation driving a significant share of credential theft that enables downstream account takeover. The CISA phishing guidance recommends organizations audit allow-lists regularly and scope them to authenticated identities rather than envelope sender domains.
See Your Risk: Calculate how many threats your SEG is missing
| Indicator | Type | Context |
|---|---|---|
islandleighanna-org[.]us[.]stackstaging[.]com | Domain | Credential harvesting page hosted on staging subdomain |
185.146.165.97 | IPv4 Address | Resolved IP for the credential harvesting subdomain |
60.241.243.250 | IPv4 Address | Sending IP, Australian TPG consumer ISP, unauthorized for Mail[.]aircanada[.]com |
60-241-243-250.static.tpgi.com.au | PTR Record | Reverse DNS for sending IP confirming residential Australian ISP |
communications@Mail[.]aircanada[.]com | Spoofed Sender | Return-Path and From address, SPF fail / DKIM none / DMARC fail |
SCL=-1 | Auth Signal | Allow-list bypass, spam filtering skipped despite total authentication failure |
X-Mailer: Microsoft Outlook Express 6.00.2800.1081 | Header Artifact | Discontinued mail client (circa 2001), consistent with fabricated or legacy headers |
| Seasonal mismatch (spring/winter copy in November) | Behavioral | Recycled phishing kit with stale seasonal references |
Allow-lists are a trust decision, and trust decisions need maintenance. An allow-list that matches on the From: domain without requiring SPF or DKIM alignment will honor every spoofed message that claims that domain. When DMARC returns fail against an oreject policy and the message still reaches the inbox, the defensive gap is not in the protocol. It is in the administrative override that bypassed it.
The fix is not to eliminate allow-lists. It is to scope them to authenticated identities: allow messages from aircanada.com only when SPF or DKIM alignment confirms the message actually originated from Air Canada infrastructure. Static domain-based allow-lists applied to unauthenticated senders create a permanent bypass channel that attackers can exploit without building any infrastructure of their own.