Electronic signatures have become the norm to conduct business transactions. From legal contracts, invoices, purchase orders and other legal documents, e-signature can be done without making an office visit, meeting a sales person or without the need of courier services like FedEx and UPS.
The problem with electronic signatures? They provide one more way for cybercriminals to attempt to steal identity and organizations’ financial and sensitive data. Malicious actors have used this process to launch phishing attacks masquerading as valid emails soliciting digital signatures.
Let’s examine one such attack impersonating DocuSign, the market leader in the electronic signing services industry.
The email attack had a social engineered payload, attempting to spoof the design of a legitimate email related to an e-signature, including the sender address and subject line. In the below email, we see the sender and subject line: Hannah McDonald shared a “Revised Contract” with you.
The email took advantage of the end users’ natural instinct of wanting to click the link to review the document that has been sent through. Upon clicking the link, the user is presented a preview of a DocuSign document overview. The similarity to a valid DocuSign overview landing page establishes a sense of trust within the recipient of this phishing attack. The overview page contains a “view completed document” button for the user to click and view the full document, a call to action stating that other parties are waiting for one last signature, and even mimics information that one would find in a legitimate DocuSign preview page about being cautious with sharing sensitive information and alternative signing methods. Additionally, this preview is hosted on Axure - a valid prototyping portal.
When the recipient clicks on the button they are presented with a Microsoft login page - commonly used as a single sign-on tool for accessing hosted applications. The attacker strategically displayed a watermarked view of the document to suggest so the user that there is only one additional step needed, before viewing the entire document.
The email attack bypassed native Microsoft email security controls. Microsoft assigned a Spam Confidence Level (SCL) of ‘-1’ to the emails; meaning the emails skipped spam filtering because Microsoft determined they were from a safe sender, to a safe recipient or were from an email source server on the IP Allow List.
Target: A major, publicly traded integrated payments solution company located in North America
Email security bypassed: Microsoft email security
Techniques used: Social engineering, brand impersonation, replicating existing business workflows
The socially engineered email targeted an employee at an integrated payments solutions company using a workflow that is common within the industry - review contracts. The email mimicked this workflow through the following subject line “Hannah McDonald shared a “Revised Contract” with you” and email body message, “Please review below and get back to me”.
The email further highlighted a specific request to review the document and respond back to the sender, creating a sense of urgency for the recipient to act. The attacker’s goal was to convince the user to click on the document and have them land on a malicious landing page with the intent to exfiltrate sensitive login credentials.
The email was sent from a legitimate domain and was not flagged as malicious by Microsoft’s email security product, due to the assigned Spam Confidence Level (SCL) of ‘-1’.
Bad actors understand the business workflows associated with the target company, leading to sophisticated phishing attacks. In this example they aimed to intercept the end user across a common business practice of the target company - to review and approve contracts. Both the subject line and the body of the email are scripted in simple language in order to not raise suspicion of bad intent. Inserting a workflow that is common to a legitimate e-signature process from DocuSign helps to further increase validity to the end user. Unfortunately when the end user falls for the malicious URL link it takes them to a phishing page that solicits Outlook credentials (as seen in Fig 5 below).
This socially engineered attack had a deep understanding of the victims’ business workflow and designed an attack impersonating a commonly used brand.
Recap of Techniques Used
This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.
Spoofing known workflows: The email was engineered to target a business workflow common to the payments industry - signing and reviewing contracts. It also used DocuSign, the most trusted vendor that facilitates digital signatures. Reviewing contracts and executing them through an e-signature tool is a common workflow for end users. When common workflows are spoofed, end users have a higher chance of taking action versus exercising caution; becoming victims of a phishing attack.
Social engineering: The email title, sender name and content aimed to induce trust and urgency within the victims. Trust because the email claimed to come from a legitimate company and an urge to take action because it requested the victim to follow a familiar business process. The attack also inserted a workflow - a DocuSign preview page that called for an action to be taken within a timely manner, before taking the victim to the malicious landing page.
Brand impersonation: The email spoofed the company, Docusign, the leader in the e-signature market. The email contained information about a contract that needs review and approval. Scammers created a sense of urgency without sounding the alarm (there is no Nigerian prince waiting to send money into your bank account).
Valid domain names: The email was sent from an account belonging to Termbrokersinsurance, a valid domain. Traditional security training advice looking at email domains before responding for any clear signs of fraud. However, in this case a quick scan of the domain address would not have alerted the end user of fraudulent activity because of the domain’s validity. In the payment industry this domain would have passed most of the custom defined policies, further increasing end users’ chance of falling victim to this sophisticated phishing attack.
Guidance and Recommendations
1. Opening emails that you are not expecting.
When you receive an email that requests for review or approval of documents that you did not request or you do not expect, take caution before opening. Just because someone is asking for your review does not mean that you should open the document for review.
2. Augment native email security to stop socially engineered attacks
The email attack highlighted in this blog got past Microsoft email security. For better protection against email attacks (whether they’re spear phishing, business email compromise or credential phishing attacks like this one), organizations should augment built-in email security with layers, like Armorblox, that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021 and is a good starting point for evaluation.
3. Watch out for targeted attacks
Since we receive an abundance of emails from service providers, our brains have been trained to quickly execute on the requested actions. Instead of clicking on a link, pause and ask these five questions:
- Is the look or tone of the email different from what you are used to?
- Are there spelling or grammatical errors?
- Is the body of the email generic than it should be?
- Is it asking for your personal information or login credentials?
- Are you expecting the email?
4. Follow multi-factor authentication and password management best practices
Deploy multi-factor authentication (MFA) on business and personal accounts where possible and don’t use the same password on multiple sites/accounts. Use a password management software like LastPass or 1Password to store your account passwords and avoid using passwords that tie into your publicly available information (date of birth, anniversary date, etc.) or generic passwords such as ‘password123’ or ‘YourName123’.
For more email security threat research, news, and industry guidance, sign up for email updates from Armorblox below.