DocuSign branding impersonation attacks have been observed bypassing native cloud and inline email security solutions and targeting over 10,000 end users across multiple organizations.
The findings are from the following security researchers: armor blockdescribed the new threat in an advisory shared with Information security on mail.
“At first glance, the email appears to be a legitimate communication from DocuSign. The sender’s name has been manipulated by the attacker. docusign” technical articles.
“However, email addresses and domains do not indicate company relevance, which is confusing on mobile devices where end-users frequently open email communications.”
Additionally, Armorblox explained that the email attack disguised common workflow actions from legitimate instances of DocuSign. An email is typically sent to the signers after the document is completed. The spoofed emails in this attack were intended to instill a similar sense of trust in the victim.
“The attacker used a valid domain to send this malicious email. Further analysis by the Armorblox research team revealed that the sender domain was […]Failed the DKIM alignment check received a trustworthy reputation score for this established domain. “
Clicking on a malicious link within a phishing email redirects victims to a fake landing page designed to steal Proofpoint user credentials.
According to Armorblox, the attack targeted Microsoft Office 365 and proof point I was using an email protection solution, but it was stopped by the company’s email attack prevention software.
Armorblox says it was able to identify the threat by using natural language understanding (NLU) to understand the content and context of malicious emails and flag them as such.
In other phishing news, a recent report by Check Point security researchers said: Yahoo replaced DHL It was the most imitated brand in Q4 2022, with 20% of all recorded phishing attacks actually coming from fake branded emails.
