The Government Email That Authenticated Itself After Transit

An employee at a mid-size manufacturing firm received what looked like a routine document share from a county government official. The subject referenced a board of commissioners statement. Attached: a single password-protected PDF with the passcode printed in the email body.

SPF passed. DKIM passed. DMARC passed. Composite authentication returned a perfect 100. Microsoft rated it SCL 1 (not spam). But the original authentication headers told a different story.

The Headers Tell Two Stories

The Authentication-Results-Original header, capturing the pre-relay state, showed dkim=none (message not signed) and dmarc=none. The email left the compromised tenant with no cryptographic signature.

After transiting Microsoft outbound protection (outbound[.]protection[.]outlook[.]com), the receiving gateway saw DKIM pass against the county domain via selector2, SPF resolve against Microsoft's authorized infrastructure, and DMARC align. The message that started with zero authentication arrived with full authentication.

The ARC seal at i=2 returned cv=fail, confirming the prior hop's signing did not validate. This is the forensic fingerprint of authentication laundering: the original state was washed through Microsoft's outbound relay, and the receiving SEG had no reason to question the result.

The Attachment No Scanner Could Open

The 112 KB PDF was password-protected. Every scanner returned a clean verdict, not because the file was safe, but because none could decrypt it. The verdict field read "clean, scanning," the default when encryption blocks inspection.

The attacker included the passcode in the email body. This is purely an anti-analysis technique. Legitimate senders deliver passwords through a separate channel. When the password and the encrypted file travel together, the encryption serves one purpose: defeating automated inspection.

What Caught It

IRONSCALES Adaptive AI flagged the message at 76% confidence based on behavioral signals authentication could not surface: a county government public works superintendent writing to a manufacturing firm with no prior communication history, an encrypted attachment paired with an inline passcode, and evasion patterns tracked across the IRONSCALES community of 35,000+ security professionals. Four mailboxes were quarantined before any recipient opened the file.

The ARC failure was the tell. Authentication said "trusted." The chain of custody said "broken."

Indicators of Compromise

MITRE ATT&CK Mapping