A cautionary tale from inside Kinetics
There’s an assumption almost every business runs on: if I hit send, the email arrived. It’s so deeply ingrained that we usually only question it when a customer says, “I never got that quote.” And even then, the first instinct is to blame the recipient’s spam folder.
The truth is more uncomfortable. Email delivery is not guaranteed. Modern email security systems sit between you and your recipient, and they are getting more aggressive every month. Sometimes they get it wrong. We learned this the hard way last week, when it happened to us.
What happened
For more than a year, every email leaving Kinetics carried a tidy little line in the signature: “You can now book and manage appointments using our Booking Page.” It linked through to our Microsoft 365 booking page via our signature management platform, Exclaimer. It worked perfectly over thousands of emails with no problems.
Then, last Thursday afternoon, it stopped working.
We didn’t know it had stopped working, of course. From our side, the emails were sending normally. There were no bounces and no error messages. There was nothing to suggest anything was wrong. It was only when a client mentioned that they hadn’t received something from us that we started digging, and discovered that emails from Kinetics had been silently quarantined at recipient mail systems since Thursday afternoon.
The trigger was that same booking link that had worked fine for the previous twelve months.
Why a legitimate link got flagged as phishing
Microsoft’s threat detection had been updated, and our booking link suddenly ticked too many boxes on the “high confidence phishing” heuristic. Not because it was malicious — it isn’t — but because, on paper, it looks exactly like the kind of link an attacker would craft:
- Redirect chain — the URL goes through Exclaimer before landing on Microsoft, which is a classic phishing pattern
- Obfuscated parameters — the destination URL is URL-encoded inside the redirect, which security engines treat with suspicion
- Login-capable destination — it lands on outlook.office365.com, a credential-harvesting target
- Trusted brand impersonation patterns — combining a third-party redirector with a Microsoft login domain is a textbook attack signature
- Tracking wrapper — the redirect itself is a tracking mechanism, also commonly used by attackers
Each of these on its own is unremarkable. Combined, they tipped the scales. The link was legitimate in our environment, but it matched multiple high-risk heuristics simultaneously, and that was enough.
The lesson: you can’t trust that your email got there
Here’s the bit that should make every business pause: a link that worked perfectly for a year suddenly stopped working, and we had no warning.
The security rules that govern email delivery are not static. They change constantly, they change without notice, and they are tuned far more aggressively to block bad traffic than to let good traffic through. Microsoft, Google, Mimecast, Proofpoint and the rest are all under enormous pressure to stop phishing, which means they will quite reasonably err on the side of blocking anything that looks suspicious, even when it isn’t.
The practical consequences for any business:
- Sending an email is not the same as delivering one. Your message can be silently dropped or quarantined with no notification to either you or the recipient.
- Yesterday’s safe pattern can be tomorrow’s blocked pattern. Rules change. Signature blocks, marketing footers, tracking links, attachments and even particular phrases can all become triggers overnight.
- Important communication needs a backup channel. If you’ve sent something that matters — a quote, a contract, a payment instruction, a project deliverable — don’t assume it landed. Confirm it, by phone, by text, or by asking the recipient to acknowledge.
- Watch out for “the silence.” If you stop hearing back from a particular client or a particular domain, don’t assume they’re ignoring you. They may not be receiving you.
What we’ve done
We’ve removed the booking link from our email signature while we work with Microsoft and Exclaimer on a long-term fix. If you’ve emailed Kinetics in the last few days and haven’t had a reply, we apologise, and we’d appreciate you resending or giving us a call.
What you should take from this
If it can happen to an IT services company that monitors this stuff for a living, it can happen to anyone. The next time you send something important and don’t hear back, don’t assume it arrived. Pick up the phone.
It’s a small habit. It might save you a deal.