DocuSign-Themed Phishing Campaign Exploits Trust in Legitimate Platforms

Quick Read:

• Phishing Strategy: Impersonation of DocuSign through email and PDF attachment.
• Tactics Observed:
  • No “To:” header in the email, leveraging SMTP envelope for delivery.
  • PDF attachment redirects to a JotForm-hosted fake e-signature page.
  • Multi-layered redirections ending in a phishing page protected by hCaptcha.
• Deployment: NACE deployed to analyze emails behind G-Suite.
• Detection Status: Only 3 out of 96 Anti-Virus vendors, along with NACE detected Phishing at the time of writing blog.

1. Email and Attachment: A Convincing Facade

The attackers carefully crafted the email and attachment to bypass detection and trick victims into interacting with the malicious content.

Header Observations

• Absence of “To:” Header: The email lacks a visible recipient header, indicating the attackers used the SMTP envelope to deliver the email directly to the victim.
  
  RFC 5321, requires at least one recipient in the envelope of the email message, either in the To, Cc, or Bcc fields. SMTP itself does not enforce the presence of a visible To field in the email header, as long as the recipient is specified in the SMTP envelope during transmission.

• SPF is none: No SPF record found for the domain qualityflags[.]com to specify which servers are authorized to send emails on behalf of that domain. This indicates that the domain lacks proper SPF configuration.

PDF Attachment

The attached PDF file is disguised as an official DocuSign document, complete with branding and calls to action. It plays a critical role in luring the victim into clicking the embedded link.

2. Redirection Chain: Exploiting Trust in Trusted Platforms

Once the victim interacts with the PDF, the campaign shifts into its second phase: a series of redirections designed to maintain credibility and evade detection.

Stage 1: JotForm Redirection

The PDF link directs victims to a JotForm-hosted page. This page, designed to mimic a DocuSign e-signature request, capitalizes on the trust associated with JotForm's legitimate domain.

From JotForm, victims are led to another link embedded in the fake e-signature page. This obfuscates the true intent of the attack, delaying suspicion.

Stage 2: Final Phishing Page

The final phishing page includes an hCaptcha challenge to create an illusion of authenticity and block automated analysis. Once the hCaptcha is solved, victims are prompted to enter their corporate credentials, enabling the attackers to harvest sensitive information.

NACE^TM Detection Approach

Figure: NACE semantic based approach

This email was flagged as malicious by InceptionCyber’s Neural Analysis and Correlation Engine (NACE)  semantic and thematic analysis aided to identify the intent of an email. Contextual relationship between the features from email headers, file attachments aided to classify the email as a Phishing attempt.

Header and Subject Features

The analysis of the SMTP features extracted following features from email:

• auth_spf_none is valid and commonly encountered in  when the sender’s domain has either:
  • The domain in the MAIL FROM or HELO/EHLO does not have a valid Sender Policy Framework (SPF) record set up in the DNS.
  • The email is sent from an IP address or server not listed in the domain’s SPF record (if one exists).

The SPF record may exist but is misconfigured or missing the correct sender IPs or might not be accessible due to DNS resolution problems at the time of sending. Around 10-15% of emails globally fall under the “no SPF” category.

• Missing “To:” Header: NACE identified the absence of a visible ‘To’ header field.
• The presence of an webmail X-Mailer agent (uses_xmailer_agent), signaled that the email was likely programmatically sent.
• Call to action semantics was identified in the subject.

Attachment Features

The single-page PDF attachment triggered several critical features for correlation, including:

• Brand Identification: CLIP (Contrastive Language-Image Pre-training) aided to identify the brand as DocuSign brand. A tactic often employed in phishing campaigns.
• Embedded URL: The PDF contained a URL pointing to a free form service domain and utilized a CDN service.

• Domain identification: We were able to identify that domain was a free form service.

The comprehensive feature extraction and the contextual relationships between intent, SMTP headers, and file attributes enabled NACE to classify the attachment as phishing without relying on the landing phishing URL. The approach taken by NACE differs from traditional technologies that rely on payload inspection or final landing URL analysis for decision-making

At the time of writing the blog only 3 out of 96 Anti-Virus vendors are classifying this URL as phishing.

Figure: VirusTotal detection for URL

Campaign Insights and Analysis

This campaign demonstrates a sophisticated approach by blending social engineering with the abuse of legitimate platforms. Key observations include:

• Evasion Tactics: The absence of a To: header, along with a misconfigured SPF record, allowed the email to bypass detection mechanisms like sender domain reputation.
• Legitimate Service Exploitation: Hosting malicious content on JotForm added a layer of credibility, making it harder for automated systems to flag the attack.
• Multi-Layered Delivery: The attackers crafted their approach to require user actions at each step, including solving an hCaptcha, effectively bypassing sandbox technology. Since sandboxes lack the ability to solve captchas and the final landing page is concealed behind the captcha, the attack successfully evaded detection.

This DocuSign-themed phishing campaign underscores the increasing sophistication of attackers in abusing legitimate services to bypass security measures. By creating a convincing facade, leveraging platforms like JotForm, and employing multi-step redirections, the attackers effectively exploited corporate users' trust. 

Traditional technologies like signature-based detection, sandboxing, and machine learning/deep learning rely on examining malicious payloads, which often remain hidden during analysis due to evasion techniques. This allows multi-stage, evasive, AI or threat actor generated malicious attachments and call-to-action URLs to reach endpoints. NACE leverages the semantic and thematic structures embedded in emails, to understand the intent and uses that as feature set,  rather than relying solely on the malicious payload, which is the root cause of evasion of the current technologies.

Stay vigilant, stay secure.