When the Phishing Kit Ships Early: Exposed Template Variables Reveal Attack Infrastructure

A credential‑harvesting phishing email sent from a compromised authenticated account bypassed spoofing checks (SPF/DKIM/DMARC) and contained unresolved template tokens and a placeholder URL (http://vm/), indicating a phishing kit was deployed before configuration; behavioral detection flagged and quarantined the message and the exposed artifacts provide actionable IOCs and TTPs for defenders.