> > > I'm hoping someone can help me understand how what appears to be an > invoice > scam was passed through legitimate MS servers and > even USER_IN_DKIM_WHITELIST. > > USER_IN_DKIM_WHITELIST refers to an explicit (i.e site or user-specific) > welcomelist, so this you did to yourself... > Thanks so much for catching this. I searched for microsoft in my own list but must have missed that one.
Looks like a good time to prune the historical cruft from the whole welcomelist. It's a very scary, realistic phish, for sure.
