In this credential phishing email made to look like documents shared from DocuSign, the recipient was instructed to review the attached secure documents regarding payroll, reimbursements, and their 401(k) by the end of the day. The sender’s display name was simply set to “Desk” rather than someone’s actual name, and the email address used to send the message appeared to be compromised. The filename of the attached HTML file was set to match the name of the recipient’s company.

Status Bar Dots
DocuSign Phishing Email

Upon opening the attached HTML file, the recipient was redirected to a phishing page that mimics a Microsoft login page. The page was prefilled with the recipient’s email address and a message directed them to enter their password because they’re “accessing sensitive info, you need to verify your password.” The background of the phishing page included an image likely saved from the targeted recipient’s company’s website and the targeted company’s logo was displayed in the login box.

Status Bar Dots
Microsoft Login Phishing Page

Why It Bypassed Traditional Security

As the URL in the attachment had not previously been detected as malicious, it was able to bypass traditional email defenses that rely on known bad indicators. Because the email was sent from a legitimate account that has been compromised without a history of abuse, there are no direct signals indicating the email’s origin is malicious.

Detecting the Attack

A holistic detection system that is able to extract and analyze URLs from email attachments is required to assess the intent of any links, alongside other signals acquired through content analysis, to determine whether the email is malicious. HTML attachments are commonly used to deliver phishing payloads without having to include the malicious content in the email itself. An analysis of the HTML file identified a URL that had not been previously detected as malicious. 

Risk to Organization

When an employee enters their credentials, attackers have full access to their email account, which can be used to look for sensitive information or launch attacks on the employee's coworkers, customers, or vendors.

Analysis Overview

Vector

Payload-based

Goal

Credential Theft

Tactic

External Compromised Account

Theme

Fake Document

Impersonated Brands

DocuSign