Trusted, Signed, Still Malicious. Exploiting Custom Email Text to Bypass Security Controls

This report describes a campaign where attackers abuse legitimate services (e.g., Zoom, document sharing, Exchange Online redirection) by inserting phone-scam messages into user-visible text fields so that outgoing, legitimately-sent emails carry the malicious content; because the emails are resent without changing the From header and preserve SPF/DKIM/DMARC, they have been observed bypassing major secure email gateways and tricking recipients into engaging with the scam.