This Phishing Email Passed SPF, DKIM, and DMARC. It Was Still Malicious.

A senior executive at a cybersecurity firm received a Microsoft document-sharing notification that passed every email authentication check: SPF, DKIM, and DMARC all returned clean. The sending infrastructure was Amazon SES. The template was a near-perfect Microsoft Word notification. The footer belonged to Canva. And the single call-to-action button routed to a /wp-admin/ path on a compromised website.

This is what modern credential harvesting looks like when attackers stop trying to spoof and start borrowing.

The campaign chained three distinct trust signals into a single delivery: a legitimate cloud email service with full authentication, a familiar brand template designed to suppress suspicion, and a compromised domain hosting the actual phishing form. Each layer was built to survive a different type of security control.

Full Authentication, Zero Legitimacy

The email arrived from support@nrequine[.]com[.]au, a compromised Australian small-business domain. It was relayed through Amazon SES (a4-6.smtp-out.eu-west-1.amazonses[.]com), which meant the message carried valid DKIM signatures for both the sending domain and amazonses[.]com. SPF passed because Amazon SES IP 54[.]240[.]4[.]6 is a designated sender for the SES domain. DMARC passed with compauth=pass reason=100.

Microsoft 365 assigned the email a Spam Confidence Level (SCL) of 5, routing it to Junk. That means the message still landed in the user's mailbox, just one click away from the primary inbox. According to Microsoft's Digital Defense Report 2024, cloud email infrastructure abuse has become one of the fastest-growing initial access vectors precisely because authentication protocols validate infrastructure, not intent.

This maps directly to MITRE ATT&CK T1566.002 (Spearphishing Link) for the delivery mechanism and T1584.006 (Compromise Infrastructure: Web Services) for the SES relay abuse.

The Frankenstein Template: Microsoft Body, Canva Skeleton

The email body presented a "Document Updated" notification styled to match Microsoft Word's sharing alerts. It included the Microsoft logo (reconstructed via HTML table cells, not an image), a blue header bar, a document details table listing a filename and recipient address, and a "View Document" CTA button styled in Microsoft's signature #2B579A blue. The footer carried Privacy Statement, Notification Settings, Support, and Legal links pointing to real microsoft[.]com pages.

But the HTML source told a different story. The email's outer scaffold was a Canva marketing email template, complete with Canva Sans Display web fonts loaded from braze-images[.]com, Canva's "Get Canva for iPhone/iPad/Android" footer block, and engage[.]canva[.]com tracking links. The HTML title tags referenced "Enjoy free delivery on marketing prints" and "Hi Csbvanillasandbox, get professional prints." The attacker had embedded a custom Microsoft phishing payload inside a hijacked Canva marketing email template.

This multi-brand impersonation maps to MITRE ATT&CK T1656 (Impersonation). The Verizon DBIR 2024 reports that pretexting attacks, which include brand impersonation, appear in 73% of social engineering incidents. Combining two trusted brands in a single message creates conflicting visual signals that make manual triage harder.

See Your Risk: Calculate how many threats your SEG is missing

The WordPress Kill Chain

The "View Document" button linked to hxxps://hch[.]rencontrer[.]top/wp-admin/mami/. The /wp-admin/ path is significant. It indicates the attacker either compromised the WordPress administrative interface or exploited an unpatched plugin to upload a phishing form behind the admin directory. WHOIS records show rencontrer[.]top was registered in June 2023 and updated recently, with registrant details redacted.

Using a subdomain (hch) on a cheap gTLD (.top) provides disposable infrastructure. The FBI IC3 2024 Report documented $2.7 billion in losses from business email compromise and phishing schemes, with compromised legitimate websites serving as the primary hosting mechanism for credential harvesting pages.

The email also included an artificial urgency cue: "This link will expire in 7 days." According to the CISA Phishing Guidance, time-pressure language is one of the top social engineering indicators that security awareness training should target. The document reference ("Q4_Strategy_Review.docx") and personalization with the recipient's actual email address added further credibility.

Why the SEG Missed and Themis Didn't

Microsoft 365's native filtering scored this email SCL:5 (junk) rather than SCL:9 (high-confidence spam/phish). The authentication stack was valid. The sending IP belonged to Amazon. The Microsoft brand links in the footer resolved to real Microsoft pages. From a reputation and authentication standpoint, this email looked clean.

Themis, the IRONSCALES Adaptive AI, classified the message as phishing with 90% confidence and quarantined it within five seconds of delivery. The detection was driven by three converging signals: the malicious URL verdict on the "View Document" link, community intelligence matching the email to previously reported phishing patterns, and the first-time sender flag from an unrecognized domain.

This is the SEG augmentation use case in practice. Authentication-based controls pass messages that authentication-abusing attackers specifically engineer to pass. Behavioral and community-driven AI catches what reputation systems cannot.

Indicators of Compromise

What to Do About It

Block the IOCs above at your email gateway and web proxy. Add rencontrer[.]top and all subdomains to your domain blocklist. Flag nrequine[.]com[.]au until the domain owner remediates.

Stop trusting authentication as a phishing signal. SPF, DKIM, and DMARC verify sender infrastructure, not sender intent. Any phishing email sent through a compromised legitimate service will pass all three. Build detection workflows that evaluate content, behavior, and context independently of authentication results.

Audit WordPress exposure in your attack surface. If your organization hosts WordPress sites, ensure /wp-admin/ paths are restricted by IP allowlist or VPN. Unpatched WordPress admin panels are commodity phishing infrastructure.

Layer AI-driven detection on top of your SEG. This email was authenticated, branded, and structurally sound. It beat Microsoft's native scoring. The difference between "junk folder" and "quarantined" is the difference between a user clicking and a user never seeing it. The Gartner Email Security market increasingly reflects this reality: organizations need behavioral analysis that operates independently of reputation and authentication signals.