A suspicious email spread internally. The user whose account was associated with the message stated they did not send it, and multiple recipients had already interacted with the email. The client confidently stated the email had been spoofed.

It wasn’t.

Email header analysis revealed the message originated from within the organization. Authentication had succeeded, the message was treated as internal, and no controls were triggered. What appeared to be spoofing was authenticated activity using valid credentials.

This talk explores how that assumption unraveled and what it reveals about trust in modern environments.