Best of the Worst: Five Attacks That Cleared Authentication and Landed Anyway

This report examines five real phishing incidents that bypassed SPF/DKIM/DMARC by exploiting unauthenticated fields and infrastructure novelty — examples include a purpose-built Microsoft 365 tenant sending a Google Docs credential phish, Amazon SES-delivered vishing with a callback number as the payload, DKIM-signed school mail whose body was injected downstream, a Gmail BEC using a typosquat Reply-To to divert replies, and Teams display-name impersonation; it concludes that authentication pass is the floor not the verdict and recommends re-verifying body hashes, checking Reply-To/display-name, and using behavioral signals.