Sublime Security Attack Spotlight: Callback phishing attempt via legitimate service abuse in a Docusign comment.

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.

EMAIL PROVIDER: Google Workspace

ATTACK TYPE: Callback Phishing

The attack

This recent callback phishing attempt in a Docusign comment reflects a growing trend of Living Off the Land (LOTL) attacks that abuse legitimate business services in order to evade detection. Docusign is one of many trusted business services we're seeing exploited. A few unique attack characteristics:

  • The messages are legitimately from DocuSign – the sender is docusign[.]net and it passes all sender authentication. The use of a high-trust sender domain from a commonly used business service blends in with other emails the recipient would expect to receive.
  • PayPal brand impersonation adds another layer of deception to build trust with the recipient.
  • Financial transaction information in an e-signature service comment is unusual, but adds additional urgency for the recipient to make the call to the listed phone number.

Attack variants

We've seen numerous variants of these attacks with different intents, to include credential phishing. Even within industries the techniques differ. For example, in government/municipalities, we've observed fake licensing documents impersonating a city entity.

Step-by-step credential phishing attack via Docusign abuse
Malicious email sent via high-trust Docusign domain
Link in the PDF is a malicious URL

These variants require detection engines to have the capabilities to pick up the various signals that differ from industry to industry. At Sublime, we rely on a defense-in-depth approach, applying layers of detection logic to identify various anomalies in a message. We’ll do a deep dive on LOTL attacks in an upcoming blog post.

Detection signals

Sublime’s AI-powered detection engine prevented these attacks. See the top signals from our Core Feed Rules for Docusign service abuse and callback phishing via Docusign comments:

  • Brand impersonation: Message contains references to brands commonly associated with callback phishing scams.
  • Engaging callback phishing language: Language in the message appears to engage the user to call the sender, often to install malware or steal sensitive data.
  • Suspicious reply-to: The sender Reply-to uses freemail or top-level domain (TLD) commonly abused in attacks.

Sublime prevents callback phishing, service abuse, and other email based threats. Deploy a free instance today.

Learn about other recent attack types that Sublime prevents:

About the Author

Brandon Murphy

Detection

Brandon is a Threat Detection Engineer at Sublime. He is a seasoned cybersecurity professional with over a decade of experience protecting internet users. Prior to Sublime, Brandon put his detection engineering expertise to use as a Sr. Staff Threat Analyst at Proofpoint.

Get the latest

Sublime releases, detections, blogs, events, and more directly to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.