The Security Vendor That Broke the Evidence

Barracuda's email security gateway rewrote the links in this phishing email to scan them for threats. In the process, it altered the message body and broke the DKIM signature. The one cryptographic signal that could have flagged the message as tampered was destroyed by the tool designed to protect the recipient.

The email itself was a pixel-perfect Microsoft SharePoint file-sharing notification. It landed in the inbox of an operations manager at a regional water authority, sent from a first-time external contact. And because the organization's DMARC policy was set to p=none, the broken DKIM signature carried zero enforcement weight. The message sailed through.

A SharePoint Notification From a Domain With Seven Weeks Left to Live

The email arrived on a Monday afternoon, using the subject line "Beverly Fithian shared 'DPCSERVICES' with you." The body was a faithful reproduction of a Microsoft SharePoint sharing notification: Segoe UI font, blue "Open" button, document icon, and a footer reading "This email is generated through Diamond Property Consultants, Inc.'s use of Microsoft 365."

The sender domain, dpcservices[.]net, was registered through GoDaddy in 2004 but had a WHOIS expiration date of May 24, 2026, just seven weeks out. Registrant details were fully redacted. The domain's DNS had been pointed to Squarespace name servers as of a late-November 2025 update, and the sender had never contacted anyone at the water authority before.

The email contained a single call to action: an "Open" button linking to what appeared to be a SharePoint personal site (dpcservices-my.sharepoint[.]com). But the recipient never saw that URL directly. By the time the email arrived, every link in the message had been wrapped by Barracuda Email Security Service through linkprotect.cudasvc[.]com, the vendor's link protection rewriting service.

The ARC Chain Tells the Story

Here is where the authentication forensics get interesting.

The email's ARC (Authenticated Received Chain) preserved the authentication state at two points in transit. At hop 1, before the message passed through Barracuda, Microsoft's infrastructure recorded dkim=pass for dpcservices[.]net. The body hash matched. The signature was intact.

At hop 2, after Barracuda processed the message and rewrote the links, Microsoft's receiving infrastructure recorded dkim=fail (body hash did not verify). The ARC seal at this hop was marked cv=fail.

The math is simple. Barracuda rewrote the URLs in the HTML body. That changed the message content. The DKIM body hash, computed by the sender's mail server before transmission, no longer matched the modified body. The signature was now invalid.

SPF passed because the sending IP (52.101.57.140, a Microsoft outbound protection server) was authorized for the domain. DMARC passed because it only requires one of SPF or DKIM to align, and SPF was clean. The DMARC policy? p=none. No enforcement. No quarantine. No reject.

According to the Microsoft Digital Defense Report 2024, the majority of organizations still have not moved beyond DMARC monitoring mode. That means broken DKIM signatures like this one have no delivery consequence at all.

DMARC p=none is a participation trophy, not a security control.

What the Gateway Scored and What It Missed

Barracuda ESS processed the message and assigned it a spam score of 0.00. The only rule triggered was HTML_MESSAGE, a standard flag for emails containing HTML. The Barracuda verdict: clean.

Meanwhile, the Verizon 2024 Data Breach Investigations Report found that phishing remains the top initial access vector, involved in over 15% of all breaches. The FBI IC3 2024 Internet Crime Report documented $2.9 billion in BEC losses alone. SharePoint and OneDrive impersonation lures are among the most common pretexts in credential harvesting campaigns because they exploit trust in everyday workplace tools.

This attack maps to MITRE ATT&CK T1566.002 (Spearphishing Link): a targeted email containing a link to a credential harvesting or malicious resource.

See Your Risk: Calculate how many threats your SEG is missing

Why Behavioral Signals Caught What Authentication Couldn't

Themis, the IRONSCALES Adaptive AI, flagged the email at 80% phishing confidence. The classification was not based on authentication headers (which all looked fine from DMARC's perspective). It was based on behavioral indicators: a first-time external sender with a high risk profile, a file-sharing pretext with no prior relationship, and content patterns consistent with credential harvesting campaigns observed across the IRONSCALES community of 35,000+ security professionals.

The message was automatically quarantined within seconds of delivery. No employee interaction required.

Across 1,921 organizations in the IRONSCALES customer base, SEGs miss an average of 67.5 phishing emails per 100 mailboxes per month. Cases like this one show why: the authentication layer said "clean," the gateway scored it at zero, and the only signal that mattered was behavioral context that neither system evaluated.

What DMARC p=none Actually Costs You

CISA's phishing guidance recommends enforcing DMARC at p=quarantine or p=reject as a baseline control. Organizations running p=none get monitoring data but no protection. When a security gateway breaks DKIM (which is common with link rewriting, disclaimer injection, and content filtering), p=none means the failure is invisible to the delivery decision.

Three steps worth taking after reading this:

1. Audit your DMARC policy. If it still says p=none, you are publishing a policy that explicitly tells receiving servers not to act on authentication failures. Move to p=quarantine with a percentage ramp if you are not ready for p=reject.
2. Understand what your gateway modifies. Link rewriting, footer injection, and content scanning all alter the message body. If your gateway sits in the mail path after DKIM signing, it will break signatures. Ask your vendor how they handle ARC sealing to preserve authentication state.
3. Layer behavioral detection over authentication. SPF, DKIM, and DMARC are necessary but insufficient. First-time sender analysis, pretext classification, and community-correlated threat patterns catch what authentication cannot.

According to IBM's 2024 Cost of a Data Breach Report, organizations using AI-based security tools reduced breach costs by an average of $2.2 million compared to those without. The gap between authentication-only defenses and behavioral AI is not theoretical. It is measurable.

Indicators of Compromise