Breaking the Impersonation: Armorblox Stops DocuSign Attack

Imagine receiving an email from DocuSign, a well-known and trusted e-signature platform. You would probably feel safe and comfortable clicking on the link in the email, right? Unfortunately, that's exactly what cybercriminals were counting on in a recent brand impersonation attack that targeted DocuSign users.

Today, we're shining a spotlight on a recent email attack that impersonated the well-known brand, DocuSign, with the goal to exfiltrate sensitive login credentials. This brand impersonation attack bypassed native cloud and inline email security solutions and targeted over 10,000 end users across multiple organizations. Armorblox detected and automatically deleted this brand impersonation attack before any damage could be done – protecting our customers so they can continue to communicate without compromise.

Summary

Mailboxes: More than 10,000 mailboxes

Target: Multiple organizations across industries

Email security bypassed: Microsoft Office 365 Email Security and Proofpoint

Techniques used: Social engineering, brand impersonation, replicating existing business workflows, fake landing page

The Email

The subject of the email aimed to instill a sense of urgency in the victims, reading: Please DocuSign: Approve Document 2023-01-11. The inclusion of the word Approve within the subject line makes the email seem as if an action from the recipient is required within a timely manner. To ensure the recipient opened the email attack, the attack made it seem like the document being sent through was new and needed review. The attacker included the date the email was sent within the subject line in order to achieve this (January 11, 2023 at 11:01 AM; although we believe the time stamp was coincidental and not an intentional semordnilap).

At first glance, the email seems to be a legitimate communication from DocuSign, with the sender name being manipulated by the attacker reading Docusign. However, the email address and domain show us no association with the company – hard to see on mobile devices where end users frequently open email communications. This email attack spoofed a common workflow from DocuSign, where an email is sent after a document has been completed with the goal to instill a sense of trust in the unsuspecting victims.

Fig 1: Snapshot of email attack impersonating the brand DocuSign

The language used within the body of the email continues to impersonate the well-known brand DocuSign. Through the inclusion of statements around alternate shipping methods, a blurb about the company DocuSign, and even a disclaimer to not share this email with anybody else, unsuspecting victims who fell for the attackers’ manipulating tactics and opened the email would have been presented with additional language and information aimed to establish trust in the victims and encourage he or she to click on the main link that reads: VIEW COMPLETED DOCUMENT.

The Phishing Page

The goal of the email attack was to persuade victims to click on the main call-to-action button, VIEW COMPLETED DOCUMENT, included within the email. Unfortunately to the blind eye, end users cannot tell that this button contained a bad URL. When clicked, victims were navigated to a fake landing page designed to impersonate a Proofpoint Storage application. The fake landing page included Proofpoint branding and showed an icon of a PDF document, representing the completed document that needed to be viewed by the victim.

Fig 2: Fake landing page with the goal to exfiltrate sensitive login credentials

Attackers placed the goal of instilling trust in the victims at the forefront when crafting this spoofed page: a preview of the document file name and size, a checkmark showing the file was verified by Symantec, and the inclusion of the victim’s email address for continued validation that this file was meant to be viewed by that person. All with the goal of getting victims to sign in with his or her Proofpoint ID; unknowingly providing sensitive user login credentials straight to the attacker.

The Attack Flow

This email attack impersonated a well-known brand, with the intention to create a sense of trust in the victim. Attackers included language within the email that mimicked company communications and included legitimate logos and branding across the fake landing page, in order to exfiltrate the victims’ sensitive user credentials.

Fig 3: Brand impersonation email attack flow

The Power of Armorblox

The email attack used language to instill trust and persuade victims to click on the malicious link included within the body of the email, and bypassed Microsoft Office 365 (receiving an SCL score of -1) and leading inline secure email gateway security tool, Proofpoint . These native email security layers are able to block mass spam and phishing campaigns and known bad URLs; however, when it comes to unknown links or zero-day attacks, these security layers fall short.

This email attack would have been delivered to 10,000 end users’ inboxes if this targeted organization had only relied on native email security layers. Native email security enforces security measures that can identify and block threats - but only those that are already known. Socially engineered email attacks that use unknown malicious links as the main attack vector put organizations at risk who solely rely on legacy solutions. Fortunately, these end users are protected by Armorblox, who accurately detected this email attack that contained a malicious URL and automatically deleted this email, preventing end users from engaging with this malicious attack. Armorblox uses Natural Language Understanding (NLU) to understand the content and context of email communications to protect organizations from all types of targeted email attacks that bypass native and legacy security solutions. With these sophisticated detection techniques and custom machine learning models, Armorblox provides organizations and end users the protection needed to stop today’s emerging threats.

Fig 4: Armorblox analysis of ML signals: malicious URL, low communication history

The attackers used a valid domain to send this malicious email. Upon further analysis from the Armorblox Research Team, the sender domain (hirose-osaka.co.jp), which failed DKIM Alignment checks, received a trustworthy reputation score for this established domain (86 months old).

Please note that sensitive information has been obscured from the above screenshots for privacy reasons.

Recap of Techniques Used

This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.

Social engineering: The email subject, design, and language used aimed to induce a sense of trust and urgency in the victims. Trust was induced by impersonating a well-known brand (DocuSign) and a sense of urgency through the content within both the email and the fake landing page. The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.

Brand impersonation: The email included language and information similar to legitimate DocuSign communications. The fake landing page included legitimate logos and branding of Proofpoint, when coupled with language and inclusion of additional ‘security checks’ this fake landing page could easily fool the eyes of unsuspecting victims.

Replicating Existing Business Workflows: The email was engineered to replicate a common business workflow from DocuSign in order to instill a sense of trust and urgency. It is not uncommon for companies to complete documents that need review and/or signature via DocuSign. Upon this completion, DocuSign will send an email notification ensuring that the last step doesn’t fall flat – final review of the completed document.

Guidance and Recommendations

1. Augment native email security with additional controls

The email highlighted in this blog bypassed past native email security. For better protection and coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021, as well as Armorblox highlights this in the 2022 Email Security Threat Report, and should be a good starting point for your evaluation.

2. Watch out for social engineering cues

Since we get so many emails from service providers, our brains have been trained to quickly execute on requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email.

3. Follow multi-factor authentication and password management best practices

If you haven’t already, implement these hygiene best practices to minimize the impact of credentials being exfiltrated:

• Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
• Don’t use the same password on multiple sites/accounts.
• Use password management software like 1password to store your account passwords.

Learn how Armorblox protects your organization from credential phishing & brand impersonation attacks.