On this page:
Attack Spotlight
November 6, 2024
Sublime Security Attack Spotlight: Callback phishing attempt via legitimate service abuse in a Docusign comment.
Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.
EMAIL PROVIDER: Google Workspace
ATTACK TYPE: Callback Phishing
This recent callback phishing attempt in a Docusign comment reflects a growing trend of Living Off the Land (LOTL) attacks that abuse legitimate business services in order to evade detection. Docusign is one of many trusted business services we're seeing exploited. A few unique attack characteristics:
docusign[.]net
and it passes all sender authentication. The use of a high-trust sender domain from a commonly used business service blends in with other emails the recipient would expect to receive.
We've seen numerous variants of these attacks with different intents, to include credential phishing. Even within industries the techniques differ. For example, in government/municipalities, we've observed fake licensing documents impersonating a city entity.
These variants require detection engines to have the capabilities to pick up the various signals that differ from industry to industry. At Sublime, we rely on a defense-in-depth approach, applying layers of detection logic to identify various anomalies in a message. We’ll do a deep dive on LOTL attacks in an upcoming blog post.
Sublime’s AI-powered detection engine prevented these attacks. See the top signals from our Core Feed Rules for Docusign service abuse and callback phishing via Docusign comments:
Reply-to
uses freemail or top-level domain (TLD) commonly abused in attacks.Sublime prevents callback phishing, service abuse, and other email based threats. Deploy a free instance today.
Learn about other recent attack types that Sublime prevents:
Sublime releases, detections, blogs, events, and more directly to your inbox.
The latest research, attack spotlights, and product updates.
Experience Sublime’s adaptable email security platform and take control of your email environment today.