An email from a staff member's account at allsaintsacademy[.]norfolk[.]sch[.]uk, a UK school domain registered since 2014, passed SPF and DKIM at the first relay hop. By the time it reached the recipient, the DKIM body hash no longer matched. DMARC returned fail with oreject. The body had been modified after signing, and the delivered content proved it.
The lower portion was a routine email from an NHS staff member discussing pupil educational targets, complete with a professional signature. This was the original content present when DKIM signed the body hash.
The top portion was unrelated. A banner declared "Finance has shared a message with you and 3 others," with a status line: "Remittance pending until completion and return of below." A "Go to file" button linked to manage[.]kmail-lists[.]com/subscriptions/subscribed? with four tokenized parameters (a, c, g, k) for per-recipient tracking. Multiple sandbox reports from 2025 and 2026 flag kmail-lists[.]com for credential harvesting at a risk score of 0.88 (CRITICAL).
An NHS email about pupil targets and a finance remittance banner do not belong in the same message body. The injection point sits between the school's outbound server and the recipient, with the message transiting dispatch1-eu1[.]ppe-hosted[.]com (185[.]132[.]181[.]6), a Proofpoint gateway.
See Your Risk: Calculate how many threats your SEG is missing
SPF and DKIM passed at the first hop because the compromised account sent from properly configured, authorized infrastructure. After transit, the body hash verification failed. The hash the receiving server computed did not match the signed value. DMARC found no passing DKIM to align with and returned fail with oreject.
Secure email gateways that trust upstream authentication results in the headers may not revalidate the body hash independently. Adaptive AI that evaluates content coherence catches what authentication cannot: a school account sending finance remittance notifications to unrelated external recipients is a behavioral anomaly.
Image attachments carried additional forensic signals. One PNG included MZ byte markers at offsets 28733 and 81847. No confirmed PE structure, but MZ headers inside image files warrant analysis. A second image had a height of 17,335 pixels, consistent with stitched content rather than a standard capture.
Actionable signals from this case:
a, c, g, k) let the attacker track clicks and tailor follow-up attacks.Community-driven threat intelligence accelerates detection of domains like kmail-lists[.]com that appear across multiple campaigns before any single organization encounters enough volume to flag them.
| Type | Indicator | Context |
|---|---|---|
| Sender Domain | allsaintsacademy[.]norfolk[.]sch[.]uk | Compromised UK school account, domain registered 2014 |
| Relay Host | dispatch1-eu1[.]ppe-hosted[.]com | Proofpoint gateway in relay chain |
| Relay IP | 185[.]132[.]181[.]6 | IP for Proofpoint relay hop |
| Credential Harvest Domain | kmail-lists[.]com | Flagged by multiple sandboxes (risk score 0.88 CRITICAL) |
| Credential Harvest URL | manage[.]kmail-lists[.]com/subscriptions/subscribed?a=&c=&g=&k= | Tokenized per-recipient credential harvesting CTA |
| Auth Result | dkim=fail (body hash did not verify) | Body modified after original DKIM signing |
| Auth Result | dmarc=fail action=oreject | DMARC policy enforcement on failed alignment |
| Attachment | image.png with MZ bytes at offsets 28733, 81847 | Anomalous PE-header byte sequences in PNG |
| Attachment | Image with 17,335px height | Stitched/composed content, not standard capture |