Your best-performing campaign of the month might not be a campaign at all. It might be the clearest signal you'll ever get that someone else has your credentials.
Every sending platform gives you an open-rate number. Most people treat it as a marketing metric: higher is better, and a spike means a message landed well. But an open rate is really just a ratio between how many times a tracking pixel or wrapped link fired and how many recipients you think you sent to. When that ratio breaks — when a single message reports far more opens than it could possibly have recipients — you're not looking at a marketing win. You're looking at the fingerprint of a compromised account.
This is one of the most reliable intrusion signals in email, and almost nobody watches for it.
What a 1,000% Open Rate Actually Means
Start with the arithmetic. If you send one message to 5,000 people and 1,500 open it, that's a 30% open rate. The number can't meaningfully exceed 100% for a legitimate send, because you can only open a message that was addressed to you. A few percentage points over 100 can happen from a single recipient opening repeatedly, or from security scanners pre-fetching links. That's noise.
A single message reporting a 1,000% open rate is not noise. It means the tracking infrastructure recorded ten times as many opens as the message had recipients. The math only works one way: the message went to far more people than the account's own send count reflects. Someone took a single authenticated message and pushed it to tens of thousands of inboxes the platform never accounted for.

We've watched this pattern from inside a major sending platform, where a hijacked customer account produced logs that looked, on the surface, impossible. The customer sent roughly 10,000 messages a day. Then one message would show up with 50,000 opens and 50,000 clicks. To the account owner, it looked like one email. To the platform's tracking layer, it looked like a campaign that had gone to a hundred thousand people. Both were true, and the gap between them was the attack.
How One Message Becomes 100,000
The mechanism behind that impossible number is DKIM replay, and it's worth understanding precisely because so much of the industry discusses it in the abstract.
When an account is compromised, the attacker doesn't need to send bulk mail through it. Bulk sending is loud. It trips volume alerts, burns the account's reputation quickly, and gets the credentials revoked. A smarter approach is to send exactly one message — a single, fully authenticated email that the platform signs with a valid DKIM signature and sends from a legitimate, warmed sending domain. That message passes SPF, carries a real DKIM signature, and aligns for DMARC.
Then the attacker captures that signed message and replays it. Because DKIM signs the message body and selected headers rather than the transport, a validly signed message stays valid when it's re-injected somewhere else. The signature still checks out. The attacker takes that one authenticated artifact and blasts it to 50,000 or 100,000 recipients, and every receiving server that validates the DKIM signature sees a properly authenticated message from a trusted domain.
On a platform that wraps links for click tracking, the effect is amplified in the logs. The replayed message still carries the original account's tracking URLs and open pixel. So every one of those 100,000 opens and clicks flows back to the tracking system attached to a single message ID. One message. Fifty thousand opens. That's how you get a number that shouldn't exist.
The tracking infrastructure that marketers use to measure engagement had, without anyone designing it that way, become the highest-fidelity compromise sensor on the platform.
Why the Attackers Only Send Once
The discipline these operators showed is what makes the signal so clean. They logged in — the IP history almost always pointed to Russia, India, or Romania — sent a single message, and disappeared. No repeated sends, no lingering session, no gradual ramp. One authenticated message, then gone.
The reason is that they understood the authentication model better than most senders do. An authenticated message from a domain with a p=reject DMARC policy has a real shot at the inbox, because it isn't going to fail authentication at the receiver. Spoofed mail from that same domain gets rejected outright. So rather than spoof, they hijacked a real account and rode its legitimate authentication. One clean, signed message replayed widely beats ten thousand spoofed ones that bounce.
They were also selective about where the replayed mail landed. Most of it went to recipients at smaller mailbox providers that don't strictly honor DMARC. The logic is precise: a message replayed to Gmail or Yahoo will often get rejected the moment the replayed envelope fails SPF alignment, because the large providers enforce hard. But a smaller provider that accepts on a valid DKIM signature alone will deliver it. The attackers weren't carpet-bombing. They were routing authenticated abuse to exactly the receivers most likely to accept it.
This is the same trust gap that surfaced publicly when we documented a scam email sent through the Gmail API that passed DMARC with no account compromise at all. Trevor Hatfield, CEO of SendX and SendPost, put the underlying problem plainly in that discussion: when authentication protocols pass and the mail is still fraudulent, the gap isn't in the protocol, it's in the access controls upstream. Matt Santill, who runs a cybersecurity services firm and has spent two decades in offensive security, called it what it is — authenticated abuse, not authentication failure. Mario Nascimento, a principal security engineer, traced the most likely root cause to a compromised tool or OAuth token rather than a spoof. The through-line across all three assessments is the same one the replay attacks illustrate: SPF, DKIM, and DMARC verify that a message was authorized to leave a domain. They say nothing about whether the person who authorized it was supposed to have that access.
The Detection Everyone Already Has and Nobody Uses
Here's the practical payoff. You don't need a new security product to catch this. You need to point an alert at a number your platform already computes.
The rule we built was blunt and effective: fire an alert on any sender showing more than a 1,000% open rate on a single message. That threshold is high enough to sit well above legitimate noise and low enough to catch a replay the moment tracking data starts flooding in. When it fired — and it fired multiple times a week — the investigation that followed was fast. Pull the account's IP login history. A legitimate account logging in from its usual geography looks nothing like a session that suddenly originates from an unfamiliar country. Cross-reference the anomalous message ID against the account's declared send volume. If one message accounts for more opens than the account sent all day, the credentials are gone.
The reason this works so well is that the attacker can't avoid generating the signal. The entire point of the replay is scale, and scale is exactly what the open-rate ratio measures. An operator can be disciplined about sending once, can route around the strict providers, can log in and out in minutes — but the moment the replayed message accumulates opens, the tracking layer records the anomaly. The behavior that makes the attack profitable is the same behavior that exposes it.
For platforms that send on behalf of many users, this matters even more, because the exposure is structural. When hundreds or thousands of individual senders share your infrastructure, any one of their credentials becoming a replay vector puts your whole sending reputation at risk, and none of those users is watching their own account for a 1,000% open rate. The monitoring has to live at the platform level. It's the same lesson that runs through nearly every compromise we've written about, from phishing sent through compromised SendGrid accounts that sailed past traditional authentication to the case where one exposed API key generated 2.3 million emails and a $10,000 bill. The credential leaves the building. The authentication passes. The dashboard is where the damage first becomes visible.
Why Senders Resist the Finding
The hardest part of this work is rarely the detection. It's the conversation afterward.
We would tell an account owner that their standout message was a compromise, and the response was often disbelief. People pushed back: You're telling me my great open rate is a bad thing? One sender was convinced he'd simply run a brilliant campaign until we walked him through the arithmetic — a 1,000% open rate on a single message is not a good week, it's a message that reached ten times more people than he had recipients. That reframing usually landed once the numbers were on the table, but the instinct to celebrate the spike first is exactly what buys the attacker time.
And time is what you don't have. Once the replay has gone out, the containable part is narrow. You can rotate the account's credentials to close the door. On a platform that wraps links through a CNAME, you can kill the wrapped URLs so they stop resolving, which neutralizes the click-through payload. What you can't undo is the opens that already fired and the messages already sitting in inboxes. If the replayed message carried a phishing link, some fraction of recipients clicked before the links died. The credential rotation prevents the next send. It does nothing for the one that already happened.
That's why the alert has to be automated and fast rather than something a human notices during a monthly review. The window between the replay landing and the damage compounding is measured in hours, not days. Watching engagement metrics as marketing data means you find out about the compromise after it's over. Watching them as security telemetry means you find out while you can still cut the links.
The Dashboard Was a Security Tool All Along
Open rates get a bad reputation in deliverability circles, and for legitimate marketing measurement, the skepticism is well earned — the number is easy to inflate and easy to misread. But that same volatility is what makes the metric valuable as a tripwire. You don't need the open rate to be an accurate measure of human attention. You need it to be a faithful measure of how many times your tracking infrastructure fired, because when that count detaches from your send volume, something is generating events you didn't authorize.
The organizations most exposed to replay attacks are the ones sending at scale through shared infrastructure, and they almost universally have rich engagement dashboards and zero monitoring on those dashboards for security anomalies. The data to catch a hijacked account is already flowing. It's just being read by the marketing team as a performance signal instead of by anyone as an intrusion signal.
Turning that data into a detection layer costs almost nothing. A threshold, an alert, and a runbook that says: when a single message reports impossible engagement, check the login history before you congratulate anyone. The attackers already understand the authentication model well enough to exploit it cleanly. The least you can do is understand your own dashboard well enough to catch them.
At SH Consulting, we treat engagement data as security telemetry, not just marketing reporting, and we build the monitoring that turns a platform's own metrics into a compromise-detection layer. If you send at scale and don't have anomaly alerting on your account activity, book a call or learn more at sh.consulting.





