I. Targeted Entities

  • DocuSign Users
  • Outlook Users

II. Introduction

A new phishing campaign has targeted a major U.S. payments company. The campaign is directed at a “major, publicly-traded integrated payments solution company located in North America,” and made use of DocuSign and a compromised third party’s email domain to skirt past email security measures.[2]

III. Background Information

Around 550 members of the targeted company received the same email from the same sender, “Hannah Mcdonald,” with a simple subject line and body of the email. From a screenshot provided by Threatpost from Armorblox, the subject line reads, “Hannah shared ‘Revised Contract’ with you.” The body of the email reads, “Hello Please review below and get back to me” with a link of a document through DocuSign, a common e-signature software.[2] The preview looks like a real DocuSign landing page, with a prompt to, “Please review and sign this document,” and a confirmation that other parties had already signed the document.[2] The preview was hosted on Axure, a valid, cloud-based prototyping portal. Ironically, like the real page, the fake page contained a warning in fine print, advising the target to not share access with others. [2]

The phishing emails successfully evaded traditional email security measures partly because they came from a domain belonging to TermBrokersInsurance. Researchers say that a scan of the domain address would not have triggered an alert for fraudulent activity because the domain is valid.[2] Microsoft’s Spam Confidence Level (SCL) measures the perceived legitimacy of an email; SCL rated these emails with a score of –1. This is the lowest score possible and allows emails to bypass filtering because it “is from a safe sender, was sent to a safe recipient or is from an email source server on the IP Allow List.”[2]

Impersonating and exploiting trusted cloud services is an increasingly common tactic to evade security filters; receiving a benign link from a seemingly known and trusted user or application is not inherently malicious. From January to March of 2021, researchers found 7 million malicious emails sent from Microsoft 365 and 45 million malicious emails sent from Google’s cloud services and infrastructure.[2] Cybercriminals have also used Office 365, Azure, OneDrive, SharePoint, G-Suite, and Firebase storage to send phishing emails and to host attacks.[2]

Lauryn Cash, product marketing manager at Armorblox, mentions integrated cloud email security, which is a cloud- and AI-based method of identifying anomalous emails, as a countermeasure to support existing email security tools, and specifically mentions natural language understanding (NLU). NLU is the ability of a computer to interpret meaning from human language.[2] The Armorblox report ends by recommending that users remain vigilant about basic security hygiene; do not open emails they are not expecting, watch for targeted attacks, and use tools like password managers and multi-factor authentication.[2]

IV. MITRE ATT&CK

  • T1598.001 – Spearphishing Service
    Adversaries may send spearphishing messages via a third-party service to elicit sensitive information that can be used during targeting. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual or organization
  • T1598.002 Spearphishing Attachment
    Adversaries may send spearphishing messages with a malicious attachment to     elicit sensitive information that can be used during targeting
  • T1598.003 Spearphishing Link
    Adversaries may send spearphishing messages with a link to elicit sensitive         information that can be used during targeting

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
    Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Malware Monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/57zfghvpvrd3a6rlswbees5k6tsobuee

VII. References

(1) Cash, Lauryn. “Please Sign on the Dotted Line: DocuSign Phishing Attack.” Armorblox, February 24, 2022. https://www.armorblox.com/blog/blox-tales-please-sign-on-the-dotted-line-docusign-phishing-attack.

(2) Nelson, Nate. “Cyberattackers Leverage DocuSign to Steal Microsoft Outlook Logins.” Threatpost English Global, February 24, 2022. https://threatpost.com/cyberattackers-docusign-steal-microsoft-outlook-logins/178613/.

Threat Advisory created by the Cyber Florida Security Operations Center.
Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.