Brand impersonation is a common element of credential phishing attacks, as threat actors use well-known services to trick recipients into opening emails and clicking links. In this attack, DocuSign is impersonated with a well-crafted email that looks quite similar to a legitimate one that users may expect to receive. 

In this instance attackers use a mail.com email address and include the word docusign in the username in an attempt to appear legitimate. To add further legitimacy, the body copy of the email makes it appear that the request for signature is being sent from the Board of Directors, adding increased authority and urgency to the email. Once the user clicks on link, he is redirected to an Outlook login page that looks nearly identical to the legitimate one. 

Status Bar Dots
62b3800cb6a9563168b78d01 738887881
Status Bar Dots
62b3800cb6a9565e4cb78d00 1404550677

Why It Bypassed Traditional Security

The mail.com domain is very similar to Gmail in that it is a free webmail account with DMARC authentication enabled. As a result, it bypasses legacy tools that look for those indicators. In addition, the URL within the email is one that has not been seen before, making it difficult for threat intelligence-based tools to detect. 

Detecting the Attack

A behavioral system is required to stop attacks that use never-before-seen URLs. By understanding the intent of the link, alongside other signals acquired through content analysis, a cloud email security platform understands when an email may be malicious. 

Risk to Organization

This email relies on brand recognition and urgency to trick users into clicking the link—even if just to see what the document contains. Once an employee enters their Outlook credentials, attackers have full access to the email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors. 

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Free Webmail Account

Theme

Fake Document

Impersonated Brands

DocuSign

See How Abnormal Stops Emerging Attacks

See a Demo