Clean Headers, Dirty Message
A phishing attempt reached my inbox through a legitimate, fully authenticated email. Here's how it worked, and how I traced it.
Yesterday I joined an online forum that focused on AI safety, among other things. A few hours later I received a welcome letter from the forum, and, one hour after that, an email alert that a private message from a forum administrator was waiting for me.
Hello, jeff-caruso! Congratulations!!! You are the last of 10 randomly selected participants to receive a free "Apple iPad Air 11" from the E_____.org team! Hurry up and claim your prize! https://share.google/N*************cid.
This was an obvious phishing attempt, but it came from a legitimate email address, so I copied the email text and the raw headers, and pushed both into Claude Code for analysis using the newly released Fable 5 model.
SPF, DKIM, and DMARC all passed, and my spam filter scored the message a 0.1. It sailed through precisely *because* it was genuine: a real forum notification, correctly signed and authenticated, faithfully relaying a scammer’s private message. The email wasn’t spoofed at all. The abuse was one level up — a user account impersonating an administrator inside the platform. Authentication only tells you that the envelope is real; it tells you nothing about who wrote what’s inside.
Claude ran a trace on the link contained in the message and was able to reproduce the entire kill chain.
According to Claude’s analysis, had I clicked through, I would have seen
presentnow.club— a prize-themed throwaway domain (”present now”), fronted by Cloudflare (both IPs are Cloudflare’s; real origin hidden — standard for scam infrastructure).The page opens with “Congratulations!” and is a templated fake-giveaway kit: carousel slides, a generic “brand” logo slot, “Help and Support” chrome. This is the classic flow that walks the victim through a fake survey → “claim your iPad” → harvests card details as a “shipping fee” or enrolls them in recurring billing.
The name of the community / forum: This kit is multi-tenant — one scam engine with a per-community landing path, meaning they’re running this same play against other forums simultaneously, each with its own path and matching PM campaign.
The asset version string (
?v=1762433176) is a Unix timestamp — November 6, 2025 — the kit’s build/deploy date. It’s been in service for months.
Midway through the analysis, Fable 5 flagged what I was working on and bumped me to Opus 4.8. A classifier that was supposed to catch and block the finding of software vulnerabilities instead blocked something that defenders do all the time; i.e., passive header analysis and a headers-only redirect trace that’s been run to file an abuse report.
The issue isn’t that a guardrail exists. It’s that this one cannot tell offense from defense.
Nevertheless, Opus 4.8 performed perfectly well for my purposes. It generated a detailed report and analysis that I filed with the forum administrator and with Google, since the malware was delivered via a Google link.
Of Possible Interest
Save up to 30% on tickets for the second annual Whitefish Security Summit. 20% early bird rate (expires August 15th) and an extra 10% off for the July 4th weekend. Visit https://whitefishsecuritysummit.com/ for more information and to register.




