TL;DR An email requesting ACH banking details and a signed W-9 arrived from Point72's legitimate infrastructure, passing SPF and DMARC authentication with a p=reject policy. But DKIM body-hash verification failed, proving the message body was tampered with after the original signature was applied. Three security gateways scored it as clean. IRONSCALES detected the behavioral anomaly and quarantined it across four mailboxes within seconds.
Severity: High Bec Spoofing MITRE: T1566.002 MITRE: T1534 MITRE: T1078
Melissa checked her inbox at 10:33 AM on a Tuesday. The subject line read "RE: Onboard for Cohen Residency work," and the sender was a financial analyst at one of the largest hedge funds in the world. The thread was three messages deep. A CAUTION banner at the top reminded her the email originated from outside her organization. She'd seen that warning a thousand times.
The request was specific: provide ACH banking instructions in a locked PDF, along with a completed and signed W-9. The sender explained they were transitioning to a new accounts payable system and needed vendor information to process the supplier in their records. The tone was professional, the signature block included direct office and cell numbers, and the corporate disclaimer at the bottom cited their global privacy policy and terms of use.
Every signal said this was real.
Three Gateways, Three Clean Scores
The email traversed a gauntlet of security infrastructure before reaching Melissa's inbox. Proofpoint scored it zero across every category: spam, phishing, malware, impostor, and bulk. Barracuda's Email Security Service returned a spam score of 0.00. Microsoft's Exchange Online Protection assigned a Spam Confidence Level of 1, the lowest risk tier.
Three gateways. Three clean passes. No warnings, no quarantine.
The reason was simple: the email's authentication looked impeccable. SPF confirmed that the sending IP (148[.]163[.]157[.]251, a Proofpoint-hosted mail exchanger) was authorized by the sender's domain. DMARC passed with a p=reject policy, the strictest enforcement level available. For any gateway relying on protocol compliance as a trust signal, this email was clean.
But buried in the authentication headers was a detail none of them acted on.
The Hash That Didn't Match
DKIM is supposed to be the cryptographic proof that an email hasn't been altered. When a sending server signs a message, it computes a hash of the body content and embeds it in the DKIM signature header. The receiving server recomputes that hash. If the two match, the body is intact. If they don't, something changed.
In this email, they didn't match.
The authentication results told the story in a single line: dkim=fail (body hash did not verify) header.d=point72[.]com. The ARC (Authenticated Received Chain) results confirmed the timeline. At the first hop (i=1), DKIM passed. By the second hop (i=2), the body hash had diverged. Somewhere between those two checkpoints, the content of this email was modified.
The ARC chain's verdict: cv=fail.
This is the kind of signal that should stop an email in its tracks. A DKIM body-hash failure is cryptographic evidence of in-transit tampering (MITRE ATT&CK T1566.002). It means the message Melissa received was not the same message the sending server originally signed. The words on her screen may have been rewritten, the banking instructions may have been swapped, or the W-9 request may have been injected after the fact.
But DMARC passed anyway. And that was enough for every gateway in the chain.
Why DMARC Passed When It Shouldn't Have Mattered
Here's the gap that makes this attack so effective: DMARC doesn't require both SPF and DKIM to pass. It requires either one. As long as SPF alignment succeeds (the envelope sender matches the From domain, and the sending IP is authorized), DMARC returns a pass, even if DKIM is completely broken.
According to the FBI's Internet Crime Complaint Center, business email compromise caused over $2.9 billion in reported losses in 2023. BEC doesn't need malware or credential harvesting pages. It needs trust. And a DMARC pass from a domain with a p=reject policy is one of the strongest trust signals in email.
The Verizon 2024 DBIR found that the median time for a user to click a phishing link is under 60 seconds from delivery. For an email that passes every authentication check, that window is shorter.
See Your Risk: Calculate how many threats your SEG is missing
The Logo That Didn't Belong
One more detail that the gateways ignored: the email carried an embedded image attachment, a 170KB PNG file. It wasn't a tracking pixel. It was a logo, the 75th anniversary seal of a regional water authority.
The sender was a hedge fund financial analyst. The recipient was a finance department employee at the water authority. The logo belonged to the recipient's organization, not the sender's.
In a legitimate vendor onboarding thread, the sender would attach their own branding or none at all. The recipient's logo inside an inbound email from an external party is a social engineering marker: it builds familiarity, makes the email feel internal, and suggests the attacker had enough reconnaissance to embed the target's own identity into the pretext (MITRE ATT&CK T1534).
Forty-Seven Seconds
While three gateways waved this email through, IRONSCALES Adaptive AI was evaluating something none of them checked: behavioral context. A first-time external sender requesting banking credentials from a VIP recipient in the finance department. A DKIM body-hash failure paired with a high-risk request type.
Within seconds, Themis quarantined the message across all four affected mailboxes. No human intervention. No SOC analyst triage. The AI-driven detection caught what three layers of gateway infrastructure could not: that an email can be cryptographically tampered with and still pass DMARC. The message was removed before anyone could respond with a W-9 or bank account details.
What a Body-Hash Failure Actually Tells You
Most security teams treat email authentication as binary: pass or fail. That mental model works for the majority of traffic. It does not work for sophisticated BEC.
A DKIM body-hash failure in an email that otherwise passes SPF and DMARC is a tamper-evident seal that's been broken on a package from a trusted courier. The courier is real. The package started from the right address. But someone opened it along the way.
The Microsoft Digital Defense Report 2024 confirms that identity-based attacks now account for the majority of email-borne threats, with attackers increasingly leveraging legitimate infrastructure. The IBM Cost of a Data Breach Report 2024 found that compromised credentials remain the most common initial attack vector, averaging $4.81 million per incident.
DMARC is not broken. It's doing exactly what it was designed to do: check domain alignment. The problem is that security teams have assigned it a trust value it was never meant to carry. When DMARC passes but DKIM body-hash verification fails, the result isn't "clean." It's contradictory. And contradictory signals, in a $2.9 billion fraud category, deserve more than a zero score and a delivery to the inbox.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sender Email | Charlie[.]Povinelli@Point72[.]com | Financial analyst identity used in BEC pretext |
| Sending IP | 148[.]163[.]157[.]251 | Proofpoint-hosted MX (mx0a-001f6201[.]pphosted[.]com), SPF-authorized for point72[.]com |
| Relay IP | 209[.]222[.]82[.]241 | Barracuda ESS outbound relay (outbound-ip77a[.]ess[.]barracuda[.]com) |
| Subject Line | RE: Onboard for Cohen Residency work | Multi-message thread pretext for vendor onboarding |
| Attachment | image001.png (170KB, SHA256 hash on file) | SCWA 75th anniversary logo, branding mismatch with sender domain |
| Authentication | DKIM body hash fail, ARC cv=fail | Cryptographic evidence of in-transit body modification |
| DMARC Policy | p=reject (point72[.]com) | Passed on SPF alignment alone despite DKIM failure |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 30,000+ security professionals. Each post breaks down one attack — what it looked like, why it worked, and what you can do about it.
/Concentrix%20Case%20Study.webp?width=568&height=326&name=Concentrix%20Case%20Study.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
