The Government Email That Authenticated Itself After Transit

A compromised Pierce County Microsoft 365 account distributed a password-protected PDF (passcode included in the email body) that evaded automated scanners; Microsoft outbound signing caused SPF/DKIM/DMARC to pass at the receiver while the ARC seal showed cv=fail (authentication laundering). IRONSCALES flagged the behavior and quarantined four mailboxes; the report provides IOCs and MITRE ATT&CK mappings.