TL;DR A compromised government (.gov) mailbox passed SPF, DKIM, and DMARC and reached a technology company inbox with clean authentication. The only visible tell was linguistic: a Spanish-language government account sent a Turkish subject line and body, soliciting the recipient to continue on a personal webmail address. No link, no attachment, nothing for a scanner to detonate. Behavioral analysis caught the first-time sender, the locale mismatch, and the off-channel ask, quarantining the message within minutes. The lesson: authentication verifies a domain, not the intent of the human, or attacker, behind a valid account.
Severity: High Account Takeover Phishing Social Engineering MITRE: T1078 MITRE: T1566

A government mailbox in South America passed every authentication check email security has. SPF, DKIM, DMARC: all green. The sending domain was a real sovereign .gov address. The account belonged to a real, named public employee. And the message it sent was written in Turkish.

That last detail is the whole story.

The recipient was a customer service employee at a global technology company. The subject line read Bilgi., Turkish for "Info." The body, also Turkish, pitched a vague "personal project" and asked the recipient to reply on a private webmail address. Everything the protocol layer could measure said this email was trustworthy. Everything a human would notice said it was not.

An Authenticated Account That Should Not Have Been Speaking Turkish

Start with what passed. The message routed from the government agency's own mail server through Microsoft protection infrastructure. SPF returned pass. DKIM validated against the agency's domain. DMARC aligned and passed. Microsoft composite authentication scored compauth=100, the maximum. There was no spoofing here, no lookalike domain, no header forgery. The email genuinely originated from the .gov account it claimed.

Now the mismatch. The mailbox's own locale settings advertised Spanish. The message metadata declared a Spanish content language consistent with the agency's country. The account's historical language, its region, its entire footprint pointed one direction. The words on the page pointed another. A Spanish-language government account had just sent a Turkish subject line and a Turkish body to a stranger.

Authentication is a statement about a domain. It is not a statement about the person, or the attacker, sitting at the keyboard.

Why the Gateway Had Nothing to Grab

This is what makes account takeover so effective against filtering built for spoofing. When an attacker controls a legitimate mailbox, the mail inherits every trust signal the real owner earned. There is no malformed SPF record to flag, no unaligned DMARC to quarantine, no freshly registered domain to score as risky. The reputation belongs to a sovereign government, and it transfers cleanly to the attacker's message.

The payload made detection harder still. No attachment. No credential-harvesting link. The only URLs in the message pointed to legitimate Microsoft support pages, and they scanned clean. There was nothing to detonate in a sandbox, nothing to blocklist, nothing a signature would match. The entire attack was a sentence: reply to me privately.

That pattern is not an outlier. According to the 2024 Verizon Data Breach Investigations Report, stolen credentials were involved in 38 percent of breaches, and valid-account abuse is a primary reason authenticated mail slips past controls tuned to catch forgery. The Microsoft Digital Defense Report 2024 makes the same point about identity: once an account is taken over, the attacker operates with the victim's trust, not their own.

The Session Origin Told on the Attacker

Underneath the clean authentication, the headers held a second contradiction. The account's outbound mail normally leaves through the agency's in-country infrastructure. This message carried an originating client IP that sat outside that infrastructure entirely. The domain was authentic. The session behind it was not where the agency's mail comes from.

Put the two anomalies together and the shape is unmistakable. Someone logged into a Spanish-speaking government mailbox from a location the account never uses, then composed a message in a language the account never sends. This is account takeover in its purest form, mapped cleanly to MITRE ATT&CK T1078 (Valid Accounts) layered over T1566 (Phishing). The attacker did not defeat authentication. They inherited it.

See Your Risk: Calculate how many threats your SEG is missing

The Ask Was Designed to Leave No Trace

The request itself was quiet by design. The body offered no invoice, no urgency, no wire instructions. It asked only that the recipient continue the conversation on a personal free-webmail (Outlook) reply address rather than the government account.

That single move is the opening play of a longer con. Shifting to a private channel removes the exchange from corporate mail security, from retention, from monitoring, and from any colleague who might glance at the thread. The later messages, the ones that ask for money or credentials or a favor, never touch a system that could inspect them. The FBI Internet Crime Complaint Center has tracked this progression for years: its 2023 IC3 report attributes billions in losses to business email compromise that begins exactly this way, with a trusted-looking contact steering the target somewhere unwatched.

What Actually Caught It

Nothing in the authentication stack could stop this message, so something else had to. Themis, the IRONSCALES agentic AI analyst, evaluated the email on behavior rather than protocol results. It weighed the first-time sender to this mailbox, the elevated sender risk, the locale-and-language inconsistency, and the off-channel ask, then correlated the pattern against threats already seen across the IRONSCALES community of security teams. The message was quarantined within minutes of delivery, before the recipient could act on it.

No single signal here was a smoking gun. A first-time sender is common. A short body is common. It was the combination, read the way an experienced analyst would read it, that exposed a valid account doing something its owner never would. That is the work adaptive AI on the IRONSCALES platform is built for.

TypeIndicatorContext
AuthenticationSPF / DKIM / DMARC pass, compauth=100Legitimate government domain; results reflect a compromised valid account, not a spoof
Session origin197[.]210[.]76[.]32Originating client IP outside the agency's in-country mail infrastructure
Subject lineBilgi.Turkish for "Info," inconsistent with the sender's Spanish-language locale
Body languageTurkish prose from a Spanish-language government accountLanguage and locale mismatch, primary behavioral tell
Reply channelPersonal free-webmail (Outlook) addressOff-channel destination for the solicitation

The Sender Was Real. The Intent Was Not.

Treat this case as a standing reminder that a green authentication result answers one question and only one: did this domain send this message? It says nothing about whether the person operating the account is the person who should be.

Build detection that reads the human signals. Flag first-time senders paired with off-channel asks. Watch for language and locale that do not match the account's history. Treat session origins that fall outside an account's normal geography as worth a second look. And accept that DMARC, essential as it is, will wave through a compromised legitimate mailbox every time. The domain that "spoke the wrong language" passed every check we asked of it. The tell was never in the protocol. It was in the words.

Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.

Related attacks

Attack What happened
Microsoft Bookings as a Weapon: When DMARC Says Trust Me and ARC Quietly DisagreesA phishing email sent from bookings.microsoft.com passed every authentication check.
The Payload Was a Phone Number: How a Google Calendar Invite Weaponized VishingA Google Calendar invite with a fake $399.77 charge and a toll-free callback number.
Fake AI Conference, Real Authentication: How Attackers Weaponized Lu.ma to Bypass Every Email CheckAttackers registered a fake AI conference on lu.ma and sent phishing emails through the platform's own Amazon SES pipeline.
Password-Protected PDFs Are the New Sandbox Killer: How a Compromised .gov Account Delivered an Unopenable PayloadA compromised government education account sent a password-protected PDF with the passcode in the email body, bypassing every automated scanner.
Legal Threat in Your Inbox: How a Gmail Shortlink Hides a Credential-Harvest DestinationA sender using a free Gmail account and a fabricated professional title sent mass-BCC legal-threat messages.

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.