Attack Target Summary

  • Type: Credential Phishing
  • Industry: Architecture & Engineering
  • Recipient: Section Manager
  • Attack Vector: Link-based
  • Technique: Legitimate Hosting Infrastructure

Attack Overview

Step 1: Email (Signature Request From Partner Sent via Docusign)

Status Bar Dots
Attack Library Threat Actors Exploit Docusign 6 Nov Email E
  • Sent using Docusign’s real platform; all elements of email are legitimate
  • Requests recipient review document purportedly related to Docusign licensing
  • “REVIEW DOCUMENT” redirects to actual Docusign portal

Step 2: Initial Link Destination (Docusign Portal)

Status Bar Dots
Attack Library Threat Actors Exploit Docusign 6 Nov Docusign E
  • Shared file hosted on Docusign
  • File contains link purportedly to view shared document
  • “Open and Review the Document” redirects to Cloudflare Captcha

Step 3: Verification (Cloudflare Turnstile)

Status Bar Dots
Attack Library Threat Actors Exploit Docusign 6 Nov Turnstile
  • Limits automated link crawling and URL analysis features
  • Increases appearance of legitimacy
  • Completing Cloudflare Turnstile redirects to spoofed Microsoft login portal

Step 4: Final Destination (Spoofed Microsoft Login)

Status Bar Dots
Attack Library Threat Actors Exploit Docusign 6 Nov Portal
  • Phishing page designed to mimic Microsoft login screen
  • Any information entered will be stolen by attacker

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for several reasons, including:

  • Verified Source: Email originated from a domain passing sender authentication checks. 
  • Legitimate Links: File was hosted on Docusign, a legitimate and trusted service.
  • Use of Human Verification Test: Cloudflare Turnstile limits automated URL analysis.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including:

  • Unknown Sender: Recipient has had no previous correspondence with sender.
  • Content Analysis: Content analysis algorithms flag unusual content.
  • Suspicious Link Analysis: Abnormal detects suspicious links in the email body.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Previous Attack
Next Attack

Analysis Overview

Type

Credential Phishing

Vector

Link-based

Goal

Credential Theft

Tactic

Legitimate Hosting Infrastructure
Captcha-Protected Phishing Page

Theme

Fake Document

Impersonated Party

External Party - Vendor/Supplier

Impersonated Brands

DocuSign

AI Generated

Not Likely

See How Abnormal Stops Emerging Attacks

See a Demo