The Unsubscribe Button Was the Payload: How a Fake Health Email Weaponized Opt-Out Compliance

A targeted phishing campaign posing as a health newsletter used a disposable GoDaddy sending domain and Cloudflare-fronted unsubscribe landing page to harvest recipient emails; the visible CTAs routed through ClickBank affiliate redirects while the unsubscribe link confirmed address validity. The attackers encoded recipients in DKIM/Sender/Message-ID/List-Unsubscribe headers (hex/base64) for per-recipient tracking; the report includes IoCs (domains, URLs, IP, sender hostname), detection context (SCL 9, quarantined), and mitigation recommendations such as inspecting unsubscribe links and decoding obfuscated headers.