Anti-Spam Doesn't Catch Everything

Here's an interesting email: 

 

You'll need to click to enlarge.  The interesting part isn't that it's a phish, it's that it seems to have been released by Proofpoint and marked safe.

Initially, I thought that the email had been dressed up to look as something that had been screened, enabling it to slip through the email filters - sort of like parking where you know you're not supposed to park and leaving your own ticket on your windshield - maybe the meter maid will think they've already ticketed you and will leave you alone.  But on looking at the headers, that doesn't seem to be the case:

Based on comments by others (see https://security.stackexchange.com/questions/172860/analyzing-received-from-header-of-phishing-email), the prod.exchangelabs.com addresses seem to be various Microsoft servers, dutifully passing along the mail, and the original header looks to be gone, perhaps deleted by Proofpoint.

Oddly, the email address looks to be a Microsoft spoof:

The same address appears higher in the email (see the first image) as a "To" address earlier in the email thread.  Always look closely at email addresses - they may not be what they look like.  I nice trick to check email addresses for hidden mispellings is to (carefully) copy them into Word, then convert case to all caps: an rn masquerading as an m becomes RN, rather than M.

Finally, a coda.  As I wrote this post, my email app labeled the original email as junk and blocked the links.  Better late than never.