3 + 1 = G-Suite Credential Phishing

v2 DocuSign-Themed Phishing Campaign Exploits Trust in Legitimate Platforms

Quick Read:

• Phishing Strategy: Impersonation of DocuSign through email and PDF attachment.
• Tactics Observed:
  • No “To:” header in the email, rather it is leveraging the SMTP envelope for delivery that can be seen in Received: header chain.
  • False affiliation claims with DocuSign.
  • PDF attachment redirects to a hsForms-hosted fake DocuSign page.
  • Multi-layered redirections ending in a phishing page protected by multiple captcha verifications.
  • The phishing page indicates that the targets are G-Suite customers.
• Deployment: NACE deployed to analyse emails behind G-Suite.
• Detection Status: 0 out of 96 Anti-Virus vendors in Virus Total  were detecting the URL, only NACE detected Phishing at the time of writing this blog and the Phishing URL was active.

Figure: Virus-Total detection for URL

1. Email and Attachment: A Convincing Facade

The attackers carefully crafted the email and attachment to bypass detection and trick victims into interacting with the malicious content.

Figure: Malspam Email with PDF Attachment

Header Observations

• Absence of “To:” Header: The email lacks a visible recipient header, indicating the attackers used the SMTP envelope to deliver the email directly to the victim. 

RFC 5321, requires at least one recipient in the envelope of the email message, either in the To, Cc, or Bcc fields. SMTP itself does not enforce the presence of a visible To field in the email header, as long as the recipient is specified in the SMTP envelope during transmission.

PDF Attachment

The attached PDF file is disguised as an official DocuSign document, complete with branding and calls to action. It plays a critical role in luring the victim into clicking the embedded link.

Threat actors performed basic mistakes while mimicking DocuSign integration. As per DocuSign’s Incident-Reporting portal:

• Docusign adds Security access code for in their emails, which is missing in this PDF.
• Docusign emails only contain PDF attachments of completed documents after all parties have signed the document. But it never redirects to other platforms.

2. Redirection Chain: Exploiting Trust in Trusted Platforms

Once the victim interacts with the PDF, the campaign shifts into its second phase: a series of redirections designed to maintain credibility and evade detection.

Figure : Multi Direct Phishing Chain

Stage 1: hsForms Redirection

The PDF link directs victims to a hsForms-hosted page. This page, designed to mimic a DocuSign e-signature request, capitalizes on the trust associated with hsForms legitimate domain.

From hsForms, victims are led to another link embedded in the fake e-signature page. This obfuscates the true intent of the attack, delaying suspicion.

Stage 2: Final Phishing Page

The final phishing page includes a captcha challenge to create an illusion of authenticity and block automated analysis. Once the captcha is solved, victims are prompted to enter their corporate g-suite credentials, enabling the attackers to harvest sensitive information.

NACE^TM Detection Approach:

Figure: NACE^TM semantic based approach

This email was flagged as malicious by InceptionCyber’s Neural Analysis and Correlation Engine (NACE^TM). The semantic and thematic analysis aided to identify the intent of an email. Contextual relationship between the features from email headers, file attachments aided to classify the email as a Phishing attempt.

Header and Subject Features

The analysis of the SMTP features extracted following features from email:

• Missing “To:” Header: NACE^TM identified the absence of a visible ‘To’ header field. Email was sent only via SMTP envelope
• The presence of a webmail X-Mailer agent signalled that the email was likely programmatically sent.
• ‘Invoice’ and ‘Finance’ semantics were identified in the subject.

Attachment Features

The single-page PDF attachment triggered several critical features for correlation, including:

• Brand Identification: CLIP (Contrastive Language-Image Pre-training) aided to identify the brand as DocuSign brand. A tactic often employed in phishing campaigns.
• Embedded URL: The PDF contained a URL pointing to a free form service domain and utilized a CDN service.

• Domain identification: We were able to identify that domain was a free form service.

• Missing DocuSign Integrity Checks: Docusign adds Security access code for in their emails, which is missing in this PDF.

The comprehensive feature extraction and the contextual relationships between intent, SMTP headers, and file attributes enabled NACE to classify the attachment as phishing without relying on the landing phishing URL. The approach taken by NACE differs from traditional technologies that rely on payload inspection or final landing URL analysis for decision-making

At the time of writing, none (0 out of 96) of the Anti-Virus vendors classifying this URL as phishing.

Figure: Virus-Total detection for URL

Campaign Insights and Analysis

This campaign demonstrates a sophisticated approach by blending social engineering with the abuse of legitimate platforms. Key observations include:

• Legitimate Service Exploitation: Hosting malicious content on free-form service platforms added a layer of credibility, making it harder for automated systems to flag the attack.
• Multi-Layered Delivery: The attackers crafted their approach to require user actions at each step, including solving multiple captchas, effectively bypassing sandbox technology. Since sandboxes lack the ability to solve captchas and the final landing page is concealed behind the captcha, the attack successfully evaded detection.
• Use of Anti-Debugger Phishing pages: This campaign employs anti-debugger phishing pages to evade detection and analysis by cybersecurity professionals and automated systems. This technique helps in:
  • Bypassing Automated Analysis: Many security solutions, such as sandbox environments and web crawlers, use debugging and instrumentation tools to examine web pages for malicious content. Anti-debugger techniques can detect these automated systems and hinder their ability to identify phishing threats.
  • Delaying Detection: By complicating the analysis process, anti-debugger techniques can delay the identification and reporting of phishing pages, giving attackers more time to exploit the pages before they are taken down.
  • Obfuscation: Anti-debugger methods often involve obfuscating the page's JavaScript or other code, making it harder to reverse-engineer the attack or extract meaningful information about the phishing method.

This DocuSign-themed phishing campaign underscores the increasing sophistication of attackers in abusing legitimate services to bypass security measures. By creating a convincing facade, leveraging free-form service platforms, and employing multi-step redirections, the attackers effectively exploited corporate users' trust.

Traditional technologies like signature-based detection, sandboxing, and machine learning/deep learning rely on examining malicious payloads, which often remain hidden during analysis due to evasion techniques. This allows multi-stage, evasive, AI or threat actor generated malicious attachments and call-to-action URLs to reach endpoints. 

NACE, employs advanced semantic and thematic analysis to comprehend intent, and leverages the contextual relationships between intent, SMTP headers, and auxiliary features to classify URLs and attachments as malicious or benign. This advancement moves far beyond traditional reliance on malicious indicators generated by threat actors or AI, to stop the evasive threats that other technologies simply can’t identify.

Stay vigilant, stay secure.