The email came from a U.S. state government domain. Not a lookalike. Not a spoofed header. The actual .gov domain of a state Attorney General's office, sending from IP 168[.]166[.]15[.]220 through the state's own mail infrastructure. SPF passed. DKIM passed. DMARC passed with full alignment.
The sender was a real person. Their name appears in publicly available materials from the Attorney General's office. The email address was legitimate. The account, by every technical measure, was authorized to send.
The CTA read "Open Message" and included an expiration date. The link pointed to bigurl[.]io.
Government domains carry implicit trust. Email security gateways weight .gov reputation heavily because these domains historically have strong authentication policies and low abuse rates. When a .gov account is compromised, the attacker inherits all of that accumulated trust, plus full SPF, DKIM, and DMARC alignment that cannot be distinguished from legitimate mail by authentication alone.
The CTA linked to bigurl[.]io, a URL rewriting service registered in 2023 behind Cloudflare with minimal ownership attribution. The shortened URL obscured the actual destination, preventing recipients and inline scanners from evaluating where the click would lead. Secondary links in the message pointed to uxfol[.]io, a portfolio-builder platform registered in 2017.
Neither bigurl[.]io nor uxfol[.]io has any association with a state government office. A legitimate Attorney General communication would link to .gov or .state domains, not to third-party URL shorteners and portfolio builders.
The email contained several signals that the account was compromised rather than the sender acting intentionally.
Address and phone number fields in the email footer did not match publicly available contact information for the Attorney General's office. Grammar irregularities in the message body were inconsistent with the professional communication standards typical of government correspondence. The urgency framing, with a specific expiration date of January 24, 2026, is a common social engineering pattern designed to prevent the recipient from verifying the request through other channels.
These are not signals that SPF, DKIM, or DMARC evaluate. Authentication confirms that the infrastructure was authorized to send the message. It does not confirm that the person who composed and sent it was the account owner.
The credential harvesting attempt was identified through behavioral signals that operate independently of authentication results. A government sender with no prior relationship to the recipient organization, CTA links pointing to infrastructure unrelated to any government function, and urgency language with an artificial deadline created a risk profile that authentication-only defenses would miss entirely.
The .gov domain made this email more dangerous than a typical phishing attempt, not less. The trust that government infrastructure carries is precisely what made the compromise valuable to the attacker.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sending Domain | [redacted][.]gov | U.S. state Attorney General's office (compromised account) |
| Sending IP | 168[.]166[.]15[.]220 | State government mail infrastructure |
| CTA Domain | bigurl[.]io | URL shortener, registered 2023, Cloudflare, minimal attribution |
| Secondary Domain | uxfol[.]io | Portfolio builder platform, registered 2017 |
| Auth Results | SPF: pass, DKIM: pass, DMARC: pass | Full authentication from .gov domain |
| Urgency Indicator | Expiration date January 24, 2026 | Artificial deadline to prevent verification |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Government-sourced email with URL shortener CTA |
| Valid Accounts | T1078 | Compromised government employee account used as sending platform |
| Attack | What happened |
|---|---|
| The DocuSign That Lived on an S3 Bucket (and Couldn't Decide Who Sent It) | A DocuSign phishing email passed SPF, DKIM, and DMARC for a real K-12 school district domain. |
| When the Safety Wrapper Becomes the Disguise: Brazilian NF-e Phishing via Safe Links Rewrite | A Portuguese-language invoice lure authenticated through a compromised Brazilian domain used is.gd to hide its payload. |
| The SOC Alert That Came From a Compromised FinTech: An Authenticated BlueVine Sender Delivering a Typosquat Link Buried in Operational Context | A fully authenticated email from bluevine.com impersonated an internal SOC quarantine notification. |
| When the Sender Domain Is Also the Phishing Kit Host: Dual-Purpose Domain Compromise | An attacker compromised a legitimate manufacturing company domain and used it two ways at once: as the authenticated sending address and as the host for... |
| The Password Expiry Email That Hid Its Destination in a Base64 Fragment | A password-expiry lure used a Base64-encoded URL fragment to hide its Shopify-hosted credential harvesting page from link scanners. |