"Return-Path" is an SMTP header
SMTP doesn't have headers. SMTP is a protocol for message transport.
thus changing the "From:" envelope address.
There is likewise no "From:" envelope address. There is an envelope-sender (the argument to the SMTP "MAIL FROM" command) which is often inserted into a "Return-Path" header in the message, and is used in the mailbox separator "From" line in mbox email storage.
... still can't stop phishers from forging the "From:" header, which is just part of the body of the e-mail.
The "From:" header is a header, not something in the body of the message. As a header, it is subject to rewriting by transport agents.
Unfortunately, the envelope address usually never gets to the MUA,
The MUA has access to all headers in an email, including "Return-Path". It is usually never shown to the user, but a good MUA will have an option to show raw email, including headers. Why? For just this reason.
If you use an MUA like Outlook that hides all the technical info, it's easy to be fooled.
Well, there you go. I did say a GOOD MUA ...
There are several issues at play here:
1. Employees at a company that manages a huge part of the control of the Internet can't detect phishing email by looking at the address replies will go to.
2. The email system at said company creates email replies based on information that is supposed to be used ONLY for the transport system to report delivery issues.
3. The offline verification process intended to stop such fraud worked, which makes this a non-story from the beginning.