This credential phishing attack features the utilization of DocuSign, an electronic documents service. The attacker embeds a masked phishing link in a PNG attachment and sends it via DocuSign’s sending service, which means the sending domain, “camail.docusign[.]net,” and name, “DocuSignCloud via DocuSignPrompt,” are legitimate. If the recipient expects an important document, they could likely interact with this email and click on the phishing link. The attacker does not include any messaging in the email beyond a short, official-sounding verification reference number and attaches a PNG embedded with a link where the recipient can access the file. The link goes to a phishing site where sensitive information is at risk should the recipient engage. 

Older, legacy security tools have difficulty accurately flagging this email as an attack because of the lack of known malicious links and executable attachments, in addition to the sophisticated nature of the spoofing. Modern, AI-powered email security solutions holistically analyze the links and attachments and detect anomalies between sender and recipient to successfully identify this email as an attack.

Status Bar Dots
Oct6 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Sophisticated Spoofing: The email appears to be from a legitimate source, “dse@camail.docusign[.]net,” which could easily bypass traditional security measures primarily focusing on known malicious senders.
  • Lack of Known Malicious Links: The email contains a link, but it's not necessarily a known malicious link. Traditional security tools often rely on databases of known malicious URLs, so new or unknown malicious links can slip through.
  • Lack of Executable Attachments: The email contains an image attachment, which is less likely to be flagged as potentially harmful than executable files or documents with macros, often targeted by legacy tools.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Anomaly Detection: The email comes from an unknown sender that the company has never received emails from in the past. This anomaly is detected by Abnormal.
  • Link Analysis: Abnormal analyzes the links in the email. The link in this email was flagged as suspicious or malicious upon analysis.
  • Attachment Analysis: Abnormal analyzes the attachments in the email. The image attachment in this email was flagged as suspicious upon analysis.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Masked Phishing Link


Fake Document

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo