DocuSign Brand Impersonation Leads to Credential Phishing Attacks
Brand impersonation is a common element of credential phishing attacks, as threat actors use well-known services to trick recipients into opening emails and clicking links. In this attack, DocuSign is impersonated with a well-crafted email that looks quite similar to a legitimate one that users may expect to receive.
In this instance attackers use a mail.com email address and include the word docusign in the username in an attempt to appear legitimate. To add further legitimacy, the body copy of the email makes it appear that the request for signature is being sent from the Board of Directors, adding increased authority and urgency to the email. Once the user clicks on link, he is redirected to an Outlook login page that looks nearly identical to the legitimate one.
Why It Bypassed Traditional Security
The mail.com domain is very similar to Gmail in that it is a free webmail account with DMARC authentication enabled. As a result, it bypasses legacy tools that look for those indicators. In addition, the URL within the email is one that has not been seen before, making it difficult for threat intelligence-based tools to detect.
Detecting the Attack
A behavioral system is required to stop attacks that use never-before-seen URLs. By understanding the intent of the link, alongside other signals acquired through content analysis, a cloud email security platform understands when an email may be malicious.
Risk to Organization
This email relies on brand recognition and urgency to trick users into clicking the link—even if just to see what the document contains. Once an employee enters their Outlook credentials, attackers have full access to the email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.