Phishing Delivery: Attackers distribute documents via legitimate DocuSign service embedding a clickable link that directs victims to a phishing website imitating the Office 365 login page.
Signed and Compromised: Credential Phishing Through Legitimate DocuSign
Leveraging Document Signature Service to Bypass Traditional SEGs
What is the attack?
Human Verification: The phishing website employs Cloudflare Captcha to ensure that only real users can access the site, providing an added layer of legitimacy for the attack.
Why did it get through?
Verified Source: Email sent from a domain passing sender authentication checks.
Legitimate Hosting: The document was hosted on a legitimate DocuSign site, lending it an air of legitimacy.
URL Crawling/Analysis Protection: The added Captcha functionality limits automated link crawling and URL analysis features, increasing the difficulty for automated detection.
What is required to solve for this attack?
Abnormal’s Behavioral AI flags never-before-seen senders, unusual email content, and URLs as anomalies that enable the detection of novel attacks.
This pairs well for defense in depth with the Cloud Email Platform (M365’s) Threat Intelligence layer.