I got a semi-plausible-looking malware email tonight from someone I had interacted with before.

The email was BCCd to who knows how many people.

I haven't looked at email source much before, but in this case, some software along the way ended up adding TLS verification metadata about every recipient in a custom header! I wonder how common this is (where headers leak the recipients / domains in the BCC list).