Hardly a 'crafted payload', more like a completely normal payload, just at another address...
Alice: hi, I'm Bob
Mastodon: hi Bob, you look different
Alice: never mind, I'm Bob, and I have changed my security keys. Please use these new ones when you validate a message from Bob, I mean me
Mastodon: will do
Alice: and by the way, if your user Carol sends a private message to Bob, send it to me instead, since I am Bob, as i said
Mastodon: fine, nothing suspicious there
(My simplistic summary of the recent disclosure. What is not stressed in the released details is that it doesn't change the profile of the impersonated user, Bob in the above, as its profile at the source is unaffected.)