Sublime Security Attack Spotlight: Credential phishing attempt using Docusign service to deliver multi-stage malicious links via fake PDF.

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.

EMAIL PROVIDER: Microsoft 365

ATTACK TYPE: Credential Phishing

The attack

We recently examined a Living Off the Land (LOTL) attack that leveraged Docusign comments for callback phishing. Trusted service abuse is on the rise with various tactics and this credential phishing attempt utilizes a Docusign landing page to deliver malicious links with multiple redirects that ultimately leads to a fake Microsoft login screen. Here are a few unique attack characteristics:

  • High-reputation domain: The attack bypasses detection on the sender through the use of a trusted Docusign domain (docusign.net), which has likely been used in the past for legitimate business purposes.
  • Malicious links outside of the message body: To avoid easy detection, the phishing attempt occurs once a user is within the Docusign document. A PDF is presented on a Docusign landing page that redirects to a fake Microsoft login.
  • Fake authentication experience: Once the PDF is clicked, the user is taken to a fake Microsoft login page that requires multiple clicks for authentication, a method for defeating automated URL analysis. It also uses two different types of CAPTCHA: Google reCAPTCHA and Cloudflare Turnstile.

Here’s what the email, PDF in Docusign, and credential theft attempt look like:

Left: Notification email from a legitimate Docusign account
Right: PDF containing a redirect to a fake Microsoft login
Clicking the PDF kicks off a fake, yet convincing, Microsoft login process

Attack variants

Another variant involves a fake email from HR, including a QR code to obfuscate the phishing URL:

Left: Docusign from a fake HR rep
Right: Docusign with link to malicious QR code
Malicious QR code (obscured for the blog)

While the QR code adds an extra layer of obfuscation, Sublime is still able to perform LinkAnalysis on the entire Docusign landing page to look for signals of malicious intent (the use of link shorteners, redirects, low trust domains, etc.). To learn more about how Sublime is able to perform LinkAnalysis on QR codes, read our blog on QR Code Phishing: Decoding Hidden Threats.

Detection signals

Sublime’s AI-powered detection engine prevented this attack. See the top signals from our Core Feed Rules for DocuSign Share From an Unsolicited Reply-To Address and Multistage Landing - Abused Docusign:

  • Reply-to from a new sender or domain: While the email is coming from a legitimate Docusign account, the reply-to is from either a new sender address or new sender domain.
  • Suspicious document notification: The subject resembles that of an automated document review notification, a common tactic used in credential phishing attacks.
  • Docusign as a landing page: The landing page contains links which are newly registered, use free file or subdomain hosts, URL shorteners, or when visited are phishing pages, lead to a captcha, or redirect to a top website.

Prevent credential phishing with Sublime

Sublime detects and prevents credential phishing, service abuse, and other email-based threats  – for free. Start your free account today, managed or self-managed. Sublime provides out-of-the-box coverage for these types of attacks and gives you the ability to customize their handling for your environment.

Read more Attack Spotlights:

About the Author

Brandon Murphy

Detection

Brandon is a Threat Detection Engineer at Sublime. He is a seasoned cybersecurity professional with over a decade of experience protecting internet users. Prior to Sublime, Brandon put his detection engineering expertise to use as a Sr. Staff Threat Analyst at Proofpoint.

Get the latest

Sublime releases, detections, blogs, events, and more directly to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.