A School Email That Passed Authentication Twice, Then Changed: Post-Signing Content Injection via Compromised .sch.uk Domain

An email from a compromised allsaintsacademy.norfolk.sch.uk account was observed with injected finance-themed content linking to manage.kmail-lists.com (flagged by sandboxes for credential harvesting). SPF/DKIM passed at the first hop but the DKIM body hash failed at delivery, and DMARC returned a reject, indicating content injection while transiting a Proofpoint relay (dispatch1-eu1.ppe-hosted.com / 185.132.181.6). Indicators include the compromised sender domain, relay host/IP, tokenized harvesting URL, and anomalous image attachments (embedded MZ signatures and extreme image height); defenders should monitor DKIM body-hash failures, incompatible content blocks, tokenized URLs, and suspicious attachment artifacts.