You mentioned that the DKIM headers "passed validation for coinbase.com". How could that have been possible, if the email was a phishing email? I'm not sure I understood that part, especially because you didn't provide any examples of the header data you received from the attacker.

Yeah this is very confusing for me too, how could the attackers create a valid DKIM signature for coinbase.com? Either there is a huge misconfiguration or it's not possible. Am I missing something?