A Voicemail That Never Rang: How Attackers Chained Three ESPs to Launder Email Authentication

This report describes a high-severity phishing campaign that impersonated a K‑12 staff member and used a chain of legitimate email services (SendGrid for delivery, Mailchimp for click-tracking, and ActiveCampaign Pages for the credential-harvesting landing page) to pass SPF/DKIM checks while evading DMARC alignment due to the victim domain's p=none policy; IOCs, MITRE ATT&CK mappings, and actionable mitigations are provided.