A DocuSign brand impersonation attack has been observed bypassing native cloud and inline email security solutions and targeting over 10,000 end users across multiple organizations.
The findings come from security researchers at Armorblox, who described the new threat in an advisory shared with Infosecurity via email.
“At first glance, the email seems to be a legitimate communication from DocuSign, with the sender name being manipulated by the attacker, reading Docusign,” reads the technical write-up.
“However, the email address and domain show us no association to the company – hard to see on mobile devices where end users frequently open email communications from.”
Further, Armorblox explained that the email attack spoofed a common workflow action from a legitimate instance of DocuSign. Normally, an email is sent to the signee after a document has been completed. The spoofed email in this attack had the goal of instilling a similar sense of trust in victims.
“Attackers used a valid domain to send this malicious email. Upon further analysis from the Armorblox Research Team, the sender domain [...], which failed DKIM Alignment checks, received a trustworthy reputation score for this established domain.”
Upon clicking on malicious links within the phishing email, victims would have been redirected to a fake landing page designed to exfiltrate their Proofpoint user credentials.
Armorblox said the attack bypassed both Microsoft Office 365 and Proofpoint email protection solutions but was stopped by the company’s email attack prevention software.
Armorblox said it was able to spot the threat by using natural language understanding (NLU) to comprehend the content and context of the malicious emails and flag them as such.
In other phishing news, a recent report by security researchers at Check Point suggested Yahoo replaced DHL as the most imitated brand in the last quarter of 2022, with fake brand emails being responsible for 20% of all phishing attempts recorded in the wild.