SPF, DKIM, and DMARC All Passed. The Sender Was a State Attorney General.

The email came from a U.S. state government domain. Not a lookalike. Not a spoofed header. The actual .gov domain of a state Attorney General's office, sending from IP 168[.]166[.]15[.]220 through the state's own mail infrastructure. SPF passed. DKIM passed. DMARC passed with full alignment.

The sender was a real person. Their name appears in publicly available materials from the Attorney General's office. The email address was legitimate. The account, by every technical measure, was authorized to send.

The CTA read "Open Message" and included an expiration date. The link pointed to bigurl[.]io.

When the Domain Is Real but the Message Is Not

Government domains carry implicit trust. Email security gateways weight .gov reputation heavily because these domains historically have strong authentication policies and low abuse rates. When a .gov account is compromised, the attacker inherits all of that accumulated trust, plus full SPF, DKIM, and DMARC alignment that cannot be distinguished from legitimate mail by authentication alone.

The CTA linked to bigurl[.]io, a URL rewriting service registered in 2023 behind Cloudflare with minimal ownership attribution. The shortened URL obscured the actual destination, preventing recipients and inline scanners from evaluating where the click would lead. Secondary links in the message pointed to uxfol[.]io, a portfolio-builder platform registered in 2017.

Neither bigurl[.]io nor uxfol[.]io has any association with a state government office. A legitimate Attorney General communication would link to .gov or .state domains, not to third-party URL shorteners and portfolio builders.

The Inconsistencies That Authentication Cannot Catch

The email contained several signals that the account was compromised rather than the sender acting intentionally.

Address and phone number fields in the email footer did not match publicly available contact information for the Attorney General's office. Grammar irregularities in the message body were inconsistent with the professional communication standards typical of government correspondence. The urgency framing, with a specific expiration date of January 24, 2026, is a common social engineering pattern designed to prevent the recipient from verifying the request through other channels.

These are not signals that SPF, DKIM, or DMARC evaluate. Authentication confirms that the infrastructure was authorized to send the message. It does not confirm that the person who composed and sent it was the account owner.

What Separated Detection From Delivery

The credential harvesting attempt was identified through behavioral signals that operate independently of authentication results. A government sender with no prior relationship to the recipient organization, CTA links pointing to infrastructure unrelated to any government function, and urgency language with an artificial deadline created a risk profile that authentication-only defenses would miss entirely.

The .gov domain made this email more dangerous than a typical phishing attempt, not less. The trust that government infrastructure carries is precisely what made the compromise valuable to the attacker.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping