SPF Pass, DKIM Pass, DMARC Pass. Still Phishing.

An attacker registered a cousin domain of a legitimate Mexican supplier, configured SPF/DKIM/DMARC, and sent a well-crafted Spanish ERP invoice PDF to multiple procurement staff; the PDF and links were clean but a behavioral sender-fingerprint mismatch (display name vs historical sender address) flagged impersonation and quarantined the messages. IOCs provided include the malicious sender address, originating IP, PDF MD5, and an anomalous X-Mailer string.