Massive Phishing Campaign Targets Yahoo Using Client’s Domain

September 28, 2025

Unauthorized infrastructure and DKIM abuse allowed a sudden spike in spoofed emails, highlighting risks in client email security.

Email Security

•

2

min read

Massive Phishing Campaign Targets Yahoo Using Client’s Domain

72,804 phishing emails were sent from our past client’s domain, targeting Yahoo users.

All messages originated from the Indonesian server cancerglobal[.]my[.]id and were signed with addonnetworks[.]com, which appears linked to AddOn Networks

‍This suggests unauthorized use of AddOn Networks’ infrastructure or potential abuse of their DKIM signing system.

SPF authentication passed for cancerglobal[.]my[.]id but failed alignment with the client’s domain. DKIM validation failed, as the signing domain did not match the legitimate public key published by the client. DMARC failed for all messages, but the emails still went through due to DMARC being set to p=none monitoring.

Sharp increase from the 17 spoofed attempts last April to about 73,000 within a short window, indicating a large-scale automated phishing operation pattern.

Screenshot powered by URIports.

Related posts

Coordinated Subdomain Takeover Campaign Targeting US Universities

Attackers are hijacking abandoned .edu subdomains via orphaned CNAME records, serving spam under trusted university domains and exploiting SEO authority.

Email Security

Cloudflare's DMARC Documentation Exposed an Unregistered Domain And Dozens of Organizations Paid the Price

How an unregistered domain in Cloudflare's DMARC documentation silently exposed infrastructure data from dozens of organizations.

Email Security

FinTech AccessPay Exposed Internal Email Infrastructure Data for Years

A misconfigured DMARC record sent sensitive email infrastructure data to an unregistered domain, creating a long-term exposure risk.

Email Security