The GitLab Alert That Passed Every Filter (Except One Detail Nobody Checked)

Attackers delivered a convincing GitLab sign-in phishing email to employees of a UK specialty insurer that passed SPF/DMARC and had Proofpoint URL Defense-wrapped links, but included an impossible RFC1918 IP (10.115.13.36) in the sign-in details; Themis quarantined four mailboxes before any interaction. The report provides IoCs (displayed private IP, origin relay 46.235.173.194, referenced domain gitlab.tmkiln.cloud, and Proofpoint-wrapped URLs), analyzes why link-rewriting created a false sense of safety, and recommends adding body-text IP routing sanity checks, monitoring first-time senders from known domains, and training users to inspect message content beyond links.