72,804 phishing emails were sent from our past client’s domain, targeting Yahoo users.

All messages originated from the Indonesian server cancerglobal[.]my[.]id and were signed with addonnetworks[.]com, which appears linked to AddOn Networks

‍This suggests unauthorized use of AddOn Networks’ infrastructure or potential abuse of their DKIM signing system.

SPF authentication passed for cancerglobal[.]my[.]id but failed alignment with the client’s domain. DKIM validation failed, as the signing domain did not match the legitimate public key published by the client. DMARC failed for all messages, but the emails still went through due to DMARC being set to p=none monitoring.

Sharp increase from the 17 spoofed attempts last April to about 73,000 within a short window, indicating a large-scale automated phishing operation pattern.

Screenshot powered by URIports.