A suspicious email spread internally and was quickly attributed to spoofing. The user whose account was associated with the message stated they did not send it, and multiple recipients had already interacted with the email.

It wasn’t.

Email header analysis revealed the message originated from within the organization. Authentication had succeeded, the message was treated as internal, and no controls were triggered. What appeared to be spoofing was authenticated activity using valid credentials.

This talk explores how that assumption unraveled and what it reveals about trust in modern environments.