In this credential phishing attack, the threat actor impersonates the popular e-signature solution DocuSign and emails the target a message purportedly regarding tax documents. After spoofing an unrelated but legitimate domain, the attacker sets the sender display name as “OnlineDocs Via Sign®-|[Target Company’s Domain]” to appear more legitimate. The subject line reads “Completed: 2023 Tax Documents viaSign: #2 -[Target Company’s Domain] - Wednesday, January 17, 2024,” which creates a sense of urgency since the beginning of the calendar year is generally when tax-related emails begin to surface for most US employees. The email itself is designed to look exactly like a real DocuSign notification and includes a “VIEW DOCUMENT” button, which the target can supposedly click to see the document in full. However, if the target clicks the button, they will be taken to a credential phishing website where login details and other sensitive information are at risk of being stolen.

Older, legacy email security tools struggle to identify this email as an attack because it leverages social engineering techniques, contains no malicious attachments, and is sent from an unknown sender. Modern, AI-powered email security tools analyze the links, detect the use of social engineering, and flag the unknown sending domain to accurately mark this email as an attack.

Status Bar Dots
AL Docu Sign Impersonator Tax Related Email E

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Social Engineering: The email uses social engineering techniques, a strategy that legacy systems often struggle to detect.
  • Lack of Malicious Attachments: The email contains an attachment, but it's an image file, which is typically considered safe. Legacy systems might not thoroughly scan such files for hidden threats.
  • Unknown Sender: The email and domain used to send this message are unknown to the recipient's company. This can make it more difficult for traditional security solutions to identify the email as malicious if it relies on previous interactions with the sender.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: Abnormal analyzes the links included in the attachment. While the link may not already be flagged as dangerous in a database, Abnormal detects other potentially malicious elements.
  • Social Engineering Detection: Abnormal detects social engineering techniques, such as a manufactured sense of urgency, and flags emails with these tactics as malicious.
  • Unknown Sender Domain: Abnormal flags that the domain used to send this email is an unknown domain to which the company has never sent messages in the past. This is a strong sign that the message may not be from a safe source.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Fake Document
Tax Matter

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo