When SPF, DKIM, and DMARC All Pass. And the Email Is Still Phishing

SPF passed. DKIM passed. DMARC passed. Every authentication check returned clean, and the email was still phishing.

The campaign abused a legitimate nonprofit fundraising platform to send credential-harvesting lures to a K-12 school district. The subject line, "Thank you for your application," was simple, professional, and completely fabricated. No one at the district had submitted an application. But the email's authentication was flawless, the sending infrastructure was real, and every automated link scanner returned a clean verdict.

That's the problem with treating authentication as a proxy for trust.

See Your Risk: Calculate how many threats your Secure Email Gateway (SEG) is missing right now

A Clean Bill of Authentication on a Dirty Email

The email arrived from cody.fritsch@givingfunder[.]com, a sender address tied to a legitimate fundraising CRM platform. The sending IP, 185[.]255[.]9[.]25 (resolving to mnal-ny2[.]mta[.]cloud and geolocated to Jersey City, NJ), was fully authorized. The Return-Path used the platform's standard bounce-address encoding, and the DKIM signature validated against givingfunder[.]com.

Here's what the authentication results looked like:

• SPF: Pass (IP authorized for the bounce domain)
• DKIM: Pass (header.d=givingfunder[.]com)
• DMARC: Pass (p=NONE, no enforcement)

For any SEG relying on Domain-based Message Authentication, Reporting, and Conformance (DMARC), Sender Policy Framework (SPF), or DomainKeys Identified Mail (DKIM) to filter threats, this email was invisible. According to the Verizon 2025 Data Breach Investigations Report, phishing remains the initial access vector in over 36% of breaches, and campaigns like this one explain why (Verizon DBIR, 2025).

The Application Lure. Built for Instinct, Not Scrutiny

The body was sparse by design. A dark header banner reading "You're Eligible to Continue," followed by four lines of text: a greeting, a thank-you for "your application," a claim that "your account is active," and a directive to log in and review before submitting.

The call-to-action, a green button labeled "Review & Continue," sat below the text. Clean, professional, and urgent enough to trigger a click without triggering suspicion.

This is textbook credential theft social engineering. According to the FBI's Internet Crime Complaint Center (IC3), phishing and its variants generated the highest volume of complaints in 2024, with losses exceeding $9.3 billion (FBI IC3, 2024 Annual Report). The "application review" pretext maps directly to MITRE ATT&CK technique T1566.002: Phishing: Spearphishing Link and T1204.001: User Execution: Malicious Link.

The target, an education staff member at a public school district, had no prior relationship with the sender. First-time sender. External domain. High-risk profile. But none of those signals mattered to the SEG, because the authentication was clean.

Get a Demo: See how IRONSCALES catches what authentication alone cannot

Encrypted Tokens and a Shadow Domain

The real tell was in the URLs. While some links pointed back to givingfunder[.]com (the authenticated sending domain), the primary call-to-action routed through an entirely different domain: jdkeusy[.]com.

That domain was registered at Namecheap in August 2023 with WHOIS privacy protection. It had no visible web presence, no relationship to the sender domain, and no legitimate business purpose. The URLs hosted on it followed a specific pattern:

`` hxxps://jdkeusy[.]com/cv2/P4MljGe/U2FsdGVkX1... ``

The U2FsdGVk prefix is the Base64 encoding of Salted__, the signature of OpenSSL's salted encryption. These tokens are not random strings. They represent encrypted payloads that generate unique, single-use phishing links per recipient, making them resistant to signature-based detection and URL blocklists. CISA has documented this class of obfuscation in its guidance on evolving phishing techniques (CISA Phishing Guidance, 2024).

This maps to T1036.005: Masquerading: Match Legitimate Name or Location and T1598.003: Phishing for Information: Spearphishing Link. The attacker leveraged a trusted platform's infrastructure for delivery while routing the actual credential-harvesting payload through disposable, privacy-protected infrastructure.

Automated link scanners returned clean verdicts across the board. The landing pages rendered what appeared to be legitimate login interfaces, but the domain mismatch, encrypted tokens, and first-time sender context told a different story to behavioral analysis.

Why the Gateway Said Clean and the Community Said Phishing

Themis, our IRONSCALES AI-powered virtual SOC analyst, flagged this email at 88% confidence as credential theft. The semantic analysis model identified structural patterns consistent with phishing lures: vague application references, urgency-driven CTAs, and content designed to drive a click rather than convey information.

But the decisive signal came from community intelligence. Across the IRONSCALES network of over 35,000 security professionals, similar campaigns had already been reported and classified. The federation model, which correlates analyst-verified resolutions across organizations, confirmed that this sender fingerprint and link pattern matched known phishing activity. IBM's 2024 Cost of a Data Breach Report found that organizations using AI-driven security tools with threat intelligence reduce breach costs by an average of $2.2 million (IBM, 2024).

Microsoft's own threat intelligence has documented a surge in legitimate-platform abuse for phishing delivery, noting that authentication-passing phishing emails increased 35% year-over-year in 2024 (Microsoft Digital Defense Report, 2024). This campaign fits that trend precisely.

What This Means for Your Email Security Stack

Authentication is necessary. It is not sufficient. When attackers can rent, register, or abuse platforms that send fully authenticated mail, SPF, DKIM, and DMARC become table stakes, not finish lines.

For security teams evaluating their email security posture, this case highlights three priorities:

1. Behavioral sender analysis over header trust. First-time sender detection, sender-recipient relationship mapping, and domain-age signals catch what authentication cannot.
2. Encrypted URL inspection. Links containing Base64-encoded tokens with no transparent redirect destination should trigger elevated scrutiny regardless of automated scan verdicts.
3. Community-powered intelligence. When your organization sees an attack for the first time, it may already be the hundredth time across a federated community. Collective classification accelerates response from hours to seconds.

The education sector remains disproportionately targeted. The K-12 Cybersecurity Resource Center reported over 300 publicly disclosed cyber incidents affecting U.S. school districts in 2024 alone. Lean security teams need adaptive AI that works autonomously instead of more dashboards to monitor.

Try It Free: Start a free trial of IRONSCALES and see community-driven detection in action

---

Indicators of Compromise