The Childcare App That Passed Every Security Check (The Reply-To Header Didn't)

**Executive summary:** Attackers abused Brightwheel's legitimate email-sending infrastructure to deliver authenticated billing notifications to school staff that passed SPF/DKIM/DMARC but used an attacker-controlled Reply-To ([email protected]) to intercept replies and enable BEC-style social engineering; detection relied on behavioral signals such as display-name/address mismatches and a failed personalization token.