A School Email That Passed Authentication Twice, Then Changed: Post-Signing Content Injection via Compromised .sch.uk Domain

An email from a staff member's account at allsaintsacademy[.]norfolk[.]sch[.]uk, a UK school domain registered since 2014, passed SPF and DKIM at the first relay hop. By the time it reached the recipient, the DKIM body hash no longer matched. DMARC returned fail with oreject. The body had been modified after signing, and the delivered content proved it.

The Two Emails in One

The lower portion was a routine email from an NHS staff member discussing pupil educational targets, complete with a professional signature. This was the original content present when DKIM signed the body hash.

The top portion was unrelated. A banner declared "Finance has shared a message with you and 3 others," with a status line: "Remittance pending until completion and return of below." A "Go to file" button linked to manage[.]kmail-lists[.]com/subscriptions/subscribed? with four tokenized parameters (a, c, g, k) for per-recipient tracking. Multiple sandbox reports from 2025 and 2026 flag kmail-lists[.]com for credential harvesting at a risk score of 0.88 (CRITICAL).

An NHS email about pupil targets and a finance remittance banner do not belong in the same message body. The injection point sits between the school's outbound server and the recipient, with the message transiting dispatch1-eu1[.]ppe-hosted[.]com (185[.]132[.]181[.]6), a Proofpoint gateway.

See Your Risk: Calculate how many threats your SEG is missing

Why Authentication Failed on Delivery

SPF and DKIM passed at the first hop because the compromised account sent from properly configured, authorized infrastructure. After transit, the body hash verification failed. The hash the receiving server computed did not match the signed value. DMARC found no passing DKIM to align with and returned fail with oreject.

Secure email gateways that trust upstream authentication results in the headers may not revalidate the body hash independently. Adaptive AI that evaluates content coherence catches what authentication cannot: a school account sending finance remittance notifications to unrelated external recipients is a behavioral anomaly.

What Defenders Should Watch For

Image attachments carried additional forensic signals. One PNG included MZ byte markers at offsets 28733 and 81847. No confirmed PE structure, but MZ headers inside image files warrant analysis. A second image had a height of 17,335 pixels, consistent with stitched content rather than a standard capture.

Actionable signals from this case:

1. DKIM body hash failure with upstream pass. Headers show a prior hop authenticated successfully, but the final verification fails. The body changed in transit. Treat content as unverified.
2. Incompatible content blocks. Two distinct messages in one body, one professional and one financial, indicate injection rather than forwarding.
3. Tokenized harvesting URLs. Per-recipient parameters (a, c, g, k) let the attacker track clicks and tailor follow-up attacks.
4. Image anomalies. Oversized dimensions and non-standard byte sequences in attachments warrant sandbox inspection even when the file renders normally.

Community-driven threat intelligence accelerates detection of domains like kmail-lists[.]com that appear across multiple campaigns before any single organization encounters enough volume to flag them.

Indicators of Compromise