The Enabling Technologies Blog

Chris Stegh / / Categories: Cloud Security, Security, Phish Hunter

Phishing Campaign Thwarted in 10 minutes

Phish Hunter finds and remediates compromised accounts 


Early morning, Lincoln’s Birthday, 2018.  A nice time for a phishing campaign from South Africa.   

The User’s View:  

This could’ve happened to anyone, and shows that getting phished is as easy as A-B-C. 

The first visible sign of a phish was this perfectly crafted email from one internal user to another, referencing DocuSign.  It arrived at 7:59 with instructions to click.   


The attacker did a fine job making this look like a legitimate looking email.  When the recipient trusts the sender, they are more likely to have clicked.  While it’s easy to say “trust no email,” it’s also easy to forget on a Monday morning.

Clicking the link took the user to a login selection page.  This attacker spread their net widely, offering the user to Single Sign On through several popular email systems.  Can you spot a clue?


Two notable tipoffs that this was a phish at this point:

  1. The “” URL didn’t match Docusign’s login page, but the header and prompts absolutely looked feasible.
  2. It’s abnormal these days to offer to log in using AOL, but they did cover O365 and Google.


The targeted user was somewhat suspicious, because they replied to the sender asking, “Is this real?”  Not knowing their colleague’s account was under control of the attacker, when they received “Yes” as a reply, they accepted the attacker’s confirmation that it was legit and clicked again.  Users should text or call, not use email, to confirm authenticity before clicking.

Clicking the Office 365 link leads to another perfect replica of a login page, from the same, bogus URL.

O365-SignIn Screen.png

At which point, after entering them, the user’s account credentials were owned, without them knowing.


The Phish Hunter’s View:

Enabling Technologies had helped the organization’s IT team configure their Office 365 system with Phish Hunting capabilities.  At about the time of the sent item, Phish Hunter automatically disabled the sender’s Azure AD/Office 365 account, and the local AD accounts.

How did this automatically happen? 

At 7:49 local time, Microsoft’s Cloud App Security ID’d that the same user credentials were used from an IP address in South Africa.  The key excerpt of that user’s vast log is below. 

Event ID



Run command


Run command: task New-InboxRule; Parameters: property AlwaysDeleteOutlookRulesBlob False, property Force False, property Name Delete messages with specific words, property SubjectOrBodyContainsWords Your document has been completed, property DeleteMessage True, property StopProcessingRules True




Microsoft Exchange Online




South Africa


2018-02-12 12:49:00 UTC

IP Address


Remember, that first screen shot was from the attacker sending the DocuSign message from the compromised account to others in the organization.  They do this to move laterally or up the org chart to eventually find execs or the accounts payable person responsible for paying invoices, at which point they’ll dupe them into paying a bogus invoice by wiring money to the attacker’s banking account.  The log of the AlwaysDelete activity was gleaned from Cloud App Security.  They were trying to cover their tracks by deleting the sent phishing messages. 

The attacker wasn’t done just yet.  Later that morning, several ISPs in South Africa had to be manually blocked because they were still attempting to login to the organization’s accounts.  Using Azure AD’s “Named Locations,” specific countries (or ISPs) can be configured as allowed or blocked.

In Summary:

10 minutes to resolution, compared to what otherwise could’ve gone undetected for days or months.

It’s the combination of the location of the login and the activity taken in the account that enable Phish Hunter to detect the breach.  There were 1075 normal log entries for that user that February morning. 

Phish Hunter:

  • sifted through all the logs for the needle in the haystack
  • found the activity indicating account was compromised
  • auto-remediated that user’s account by locking them out and requiring a password reset
  • alerted the admin so they could thwart further attempts to breach the organization that day

Back to work you go, or maybe, if it’s your thing, you can go fishing!

Contact for more information about controlling phishing in your organization.  You can also see a list of steps to recover from a phishing episode at

Subscribe to Email Updates

Refine by

To expand the list, please click on the double arrows.


Search by Category or Author: