Polícia de Segurança Pública
I’ve spent years dissecting headers at Riskseeker, but this morning my inbox handed me a puzzle that perfectly illustrates the “identity crisis” in modern cybersecurity.
I received an email at ruisantos@riskseeker.com. The sender? The Portuguese Public Security Police (PSP). The content? A tired, low-effort “donation” scam from a “Mrs. Mavis Wanczyk.”
Normally, this is a 2-second job: Delete and move on. But I didn’t. I looked at the source code, and what I found is a perfect storm of hijacked trust.
Analyzing the Perfect Header
Usually, when a scammer impersonates a government agency, they fail at the technical gates. They “spoof” the name, but the SPF fails, or the DKIM signature is missing.
Not this time. I pulled the raw headers, and the results were chilling:
Plaintext
From: Alda Maria **** **** Leal <****leal@psp.pt>
Received: from mx3.rnsi.mai.gov.pt ([185.126.89.202])
DKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed; d=psp.pt;
X-ThreatScanner-Verdict: Negative
X-SpamExperts-Class: ham
Authentication-Results:
spf=pass smtp.mailfrom=psp.pt;
dkim=pass header.d=psp.pt;
dmarc=pass header.from=psp.pt
For those who don’t speak “Header” let me translate: This email is technically flawless. It passed SPF, DKIM, and DMARC. It was routed through the official MAI (Ministry of Internal Administration) mail servers. Because it came from a “trusted” government domain with valid cryptographic signatures, every major security filter (IronPort, Sophos, SpamExperts) gave it a green light and a “Negative” threat verdict.
Where did the Gun Shot come from? 172.22.10.19
When I dug deeper into the x-originating-ip, I saw an internal address: 172.22.10.19.
This tells me this wasn’t an external attacker pretending to be the police. This was an Account Takeover (ATO). An internal account (****leal@psp.pt) was likely compromised, whether through a weak password, a previous phishing hit, or a lack of Multi-Factor Authentication (MFA), and used as a “mule” to bypass global spam filters.
Why This Matters
This is more than just a funny story about a scammer in a police uniform. It’s a massive security gap.
- Reputation Hijacking: Scammers are no longer just building fake websites; they are moving into “High-Reputation” environments. If your security relies on “Domain Trust,” you are already vulnerable.
- The Authority Bias: When a user sees
@psp.pt, their guard drops. If this attacker had sent a malicious PDF instead of a “donation” story, the infection rate would have been devastating. - Identity is the Perimeter: The PSP’s firewalls did their job, but their identity management failed. In 2026, if you aren’t using hardware-backed MFA for every single institutional account, you are effectively providing a platform for global fraud.
My Verdict
The “Farda Azul” was used as a proxy for a Gmail-based scammer. It’s a reminder that trust is a vulnerability. When the police’s own domain tells you “Good News,” it’s time to start looking very closely at the bad news hidden in the source code.
My Recommendation
Audit all government accounts, enforce MFA, monitor for internal anomalies.
Stay skeptical. Analyze the headers.
