A large-scale phishing campaign was detected and traced for stealing credentials to register devices on a user’s network to send spam and infected emails. The accounts that were targeted were not secured with Multi-factor authentication leading to taking advantage of users’ Bring-your-own-device (BYOD) to generate their own rogue devices using stolen credentials.
The campaign started with a DocuSign-branded phishing lure containing an infected link that redirected to the rogue website login page of office 365 to steal the personal login details. This theft resulted in a compromise of 100 mailboxes of different companies and enabled attackers to implement an inbox rule to thwart detection.