The Timestamp That Gave It Away: Oracle Identity Cloud Phishing Targets K-12 with a Stale Timezone

Attackers sent a spearphishing Oracle Identity Cloud password-reset email to a Florida K‑12 staffer that used per-recipient Base64 tokens and a UK-hosted redirector (richard-woof.com) cloaked by a Google 404 redirect to evade automated scanners; the sending domain (agrogreenalax.com) passed SPF and bypassed the district's gateway, and a read-receipt header provided open-notification telemetry to the attacker. The report highlights a low-tech detection heuristic — a stale DST timezone label (CDT) after DST ended — and lists IoCs including agrogreenalax.com, richard-woof.com, 172.93.120.235, 109.123.69.211, and attacker email addresses.