mailer-daemon[@]server[.]kisumu[.]go[.]ke (IP 160[.]119[.]248[.]119) carried no SPF, DKIM, or DMARC, and its origin IP showed no PTR record and a country mismatch. The message body used obfuscated Unicode characters to render 'Keep My Password' as the link text, directing victims to a webmail credential-harvesting page at medicalitystore[.]com/Webmail/1/Webmail/webmail[.]php?email=. A nested attachment was named to resemble a password-expiry notice.# Fake Bounce Notice With Obfuscated 'Keep My Password' Link Routes Victims to a Webmail Credential-Harvesting Page
Bounce notices occupy a unique psychological space in email. Most recipients associate them with their own outbound mail and treat them as a neutral, automated system event. This campaign exploited that assumption: a message that looked like a standard non-delivery report arrived from a spoofed mailer-daemon address, passed no authentication checks, and embedded an obfuscated "Keep My Password" link that led directly to a credential-harvesting webmail page. The entire attack lived in that gap between "this looks like a system message" and "this is a phishing attempt."
The sending address was mailer-daemon[@]server[.]kisumu[.]go[.]ke, with the message originating from IP 160[.]119[.]248[.]119. Authentication results were unambiguous: spf=none, dkim=none, dmarc=none. No SPF record is published for the sending subdomain. No DKIM key exists. The Return-Path was empty (<>), the convention for automated bounces, which also means no envelope sender was available for SPF evaluation.
The parent domain kisumu[.]go[.]ke is a registered Kenyan government domain, which may be what gave the sender address a surface plausibility. But the forensic details undercut that impression quickly: 160[.]119[.]248[.]119 has no PTR record, and antispam headers indicate the IP geolocates to South Africa, a mismatch with a Kenyan government domain that has no legitimate operational reason to send from South African infrastructure. The sending host is not recognized as any known email security gateway, so the absent authentication is a genuine gap, not an artifact of gateway forwarding.
The link that constituted the actual attack payload was displayed as the functional text "Keep My Password." In the raw message, the characters in that string were interspersed with soft-hyphen Unicode characters (), a technique that renders the text normally to human readers while splitting the string into fragments that evade keyword-based detection. The underlying link pointed to medicalitystore[.]com/Webmail/1/Webmail/webmail[.]php?email=.
The path structure is characteristic of a hosted webmail credential-harvesting kit: a subdirectory named Webmail, a PHP handler accepting an email= parameter, and a path that mimics a webmail portal login screen. WHOIS for medicalitystore[.]com shows privacy-protected registration through a common low-cost registrar. Third-party scanning services had tagged the domain with active phishing indicators at the time this campaign ran.
See Your Risk: Calculate how many threats your SEG is missing
The incident also included a nested message/rfc822 attachment whose filename was crafted to read as a password-expiry notice. This adds a second social-engineering vector: a recipient who does not click the link in the body might open the attachment and encounter either a redirect or a standalone HTML form serving the same credential-harvest purpose. Automated extraction of the nested MIME parts was not fully possible in this environment, but the filename convention is a recognized pattern in webmail-harvest campaigns that deliver payloads across both the message body and embedded attachments to maximize reach.
The pairing of an obfuscated body link with a password-expiry attachment name is deliberate. Each element reinforces the other: the bounce notice creates the context for a "your password may have been affected" narrative, and both the link and the attachment name push toward the same action. This is social engineering operating at the structural level: the format of the message itself, not just its content, does the persuasion work.
Our Adaptive AI flagged the message via a Credential Theft verdict. The combination of complete authentication absence, a sending IP with no PTR and a country mismatch, an obfuscated link, and a destination domain carrying active phishing tags produced a high-confidence classification without requiring any single element to be individually conclusive. The verdict was driven by the accumulated behavioral and infrastructure signal, not by a single rule match.
Email security tooling should apply the same authentication standards to apparent automated system messages as it does to any inbound mail, since this kind of phishing hides inside a format users rarely scrutinize. A mailer-daemon sender with spf=none, dkim=none, and dmarc=none arriving from an IP with no PTR and a geographic anomaly is not a system message. Recipients should understand that legitimate NDRs from their own mail infrastructure will always carry authentication signals, and any bounce notice prompting a password action is a near-certain attack.
| Type | Indicator | Notes |
|---|---|---|
mailer-daemon[@]server[.]kisumu[.]go[.]ke | Spoofed sending address; no authentication | |
| IP | 160[.]119[.]248[.]119 | Sending IP; no PTR; geolocation mismatch (South Africa) |
| URL | hxxps://medicalitystore[.]com/Webmail/1/Webmail/webmail[.]php?email= | Credential-harvesting webmail page |
| Domain | medicalitystore[.]com | Attacker-controlled harvest domain |
| Technique | Unicode obfuscation in link text | Soft-hyphen characters inserted to break keyword matching on "Keep My Password" |
| Attack | What happened |
|---|---|
| The GitLab Alert That Passed Every Filter (Except One Detail Nobody Checked) | A GitLab sign-in alert cleared Proofpoint URL Defense and passed SPF/DMARC — then listed a private RFC1918 IP as the sign-in source. |
| The Phishing Simulation Platform That Powered a Real Attack | A salary adjustment lure routed through SendGrid and a Carrd landing page used phishing kit images hosted on a commercial phishing simulation vendor's own... |
| The Timestamp That Gave It Away: Oracle Identity Cloud Phishing Targets K-12 with a Stale Timezone | A phishing email impersonating Oracle Identity Cloud targeted a Florida school district employee. |
| The Power Automate Failure Alert That Wore Your Own Security Vendor as a Disguise | An attacker impersonated an internal service account with a test tenant, sent a Power Automate failure alert. |
| Sign Here, Get Phished: Inside an Adobe Sign Lure With a Multi-Hop Redirect to Credential Theft | An Adobe Sign e-signature lure routed recipients through a multi-hop redirect chain ending at fameklinik[.]com. |