On this page:
Attack Spotlight
November 14, 2024
Sublime Security Attack Spotlight: Credential phishing attempt using Docusign service to deliver multi-stage malicious links via fake PDF.
Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.
EMAIL PROVIDER: Microsoft 365
ATTACK TYPE: Credential Phishing
We recently examined a Living Off the Land (LOTL) attack that leveraged Docusign comments for callback phishing. Trusted service abuse is on the rise with various tactics and this credential phishing attempt utilizes a Docusign landing page to deliver malicious links with multiple redirects that ultimately leads to a fake Microsoft login screen. Here are a few unique attack characteristics:
docusign.net
), which has likely been used in the past for legitimate business purposes.Here’s what the email, PDF in Docusign, and credential theft attempt look like:
Another variant involves a fake email from HR, including a QR code to obfuscate the phishing URL:
While the QR code adds an extra layer of obfuscation, Sublime is still able to perform LinkAnalysis on the entire Docusign landing page to look for signals of malicious intent (the use of link shorteners, redirects, low trust domains, etc.). To learn more about how Sublime is able to perform LinkAnalysis on QR codes, read our blog on QR Code Phishing: Decoding Hidden Threats.
Sublime’s AI-powered detection engine prevented this attack. See the top signals from our Core Feed Rules for DocuSign Share From an Unsolicited Reply-To Address and Multistage Landing - Abused Docusign:
reply-to
is from either a new sender address or new sender domain.Sublime detects and prevents credential phishing, service abuse, and other email-based threats – for free. Start your free account today, managed or self-managed. Sublime provides out-of-the-box coverage for these types of attacks and gives you the ability to customize their handling for your environment.
Read more Attack Spotlights:
Sublime releases, detections, blogs, events, and more directly to your inbox.
The latest research, attack spotlights, and product updates.
Experience Sublime’s adaptable email security platform and take control of your email environment today.