Skip to main content
Let's Talk!

Tags:

Threat Research, Attack Analysis, Email Security Trends, BEC, Malware, Evasive Threats, AI

Trust as a Weapon: Phishing Campaigns Leveraging Legitimate Platforms

Kalpesh Mantri, Principal Research Engineer

In today’s threat landscape, user trust in well-known services has become a prime attack surface. Emails originating from platforms like Asana, Abode Sign, or Dropbox Sign are often implicitly trusted—leading recipients to bypass standard security hygiene. Threat actors are capitalizing on this trust to deliver highly convincing phishing lures.

At InceptionCyber, we’ve observed a growing number of campaigns that systematically abuse legitimate services to deliver payloads or credential phishing pages. These attacks are increasingly sophisticated, often blending seamlessly into normal business workflows and evading traditional detection mechanisms.

This blog explores real-world cases where adversaries have exploited reputable platforms to distribute phishing content. We’ll break down how these campaigns are crafted, the motivations behind using such vectors, and the implications for defenders. Ultimately, we aim to highlight the need for deeper inspection of seemingly legitimate emails and the importance of layered defenses in today’s complex threat ecosystem.

Technical Workflow:
How Threat Actors Abuse Legitimate Services for Invoice-Based Callback Phishing

Attackers have developed well-defined methods for leveraging trusted business platforms to deploy phishing campaigns that appear indistinguishable from legitimate communications. Below is a technical breakdown of how these platforms are misused:

Step 1: Create Accounts on Trusted Platforms

Threat actors begin by creating accounts on services that are commonly used for document sharing, signing, and task management—including: HelloSign (Dropbox Sign), DocuSign, Adobe Sign, Asana etc.

These services allow users to sign up with just an email address (often temporary or compromised accounts). Many platforms offer free trials or limited-use tiers, making them low-cost entry points.

  • No domain ownership verification is required for sending requests or uploading documents.
  • Free tiers allow document upload, signature requests, or task creation with custom messages.
  • Services do not validate the authenticity of the document contents or sender branding.

Step 2: Craft the Phishing Payload

The attacker creates documents or task notifications that impersonate brands such as:

  • Norton – fake invoice for annual renewal of antivirus.
  • Geek Squad – false billing notification.
  • Adobe Premiere Pro – renewal confirmation and billing query.
  • McAfee, Best Buy, LifeLock, etc.

Tactics used in the documents or task descriptions:

  • Fake invoice numbers, customer case IDs, and support ticket references.
  • A note urging the user to call a customer support number (callback phishing).
  • Fake email IDs like support@norton-securemail.com or billing@geeksquad-helpdesk.com (registered using lookalike domains).
  • Message includes urgent language: “If this charge was not authorized, contact our billing team immediately at [phone number]”.

Service: AdobeSign

Step 3: Delivery Through Trusted Channels

The phishing payload is sent via the platform’s native delivery mechanism, which gives it legitimacy:

  • HelloSign / DocuSign / Adobe Sign: Sends an email like “You’ve received a document to sign from [attacker name]”. The email is sent from a valid platform domain (e.g., @hellosign.com, @docusign.net).
  • Asana: Sends an automated task or project invitation that includes the phishing message in the task description or comments.

Technical Advantage:

  • Emails pass SPF, DKIM, and DMARC.
  • Source IPs are from trusted cloud platforms (e.g., Amazon SES, Mailgun, SendGrid).
  • Email subject lines mimic legitimate communications: “Invoice Available for Adobe Premiere Pro Renewal”, “Action Required: Geek Squad Auto-Renewal”.

Service: Asana

Step 4: Callback Phishing Intent

These attacks are not link-based. Instead, they rely on user-initiated contact:

  • The user is tricked into calling the provided phone number.
  • Upon calling, they are connected to a scammer posing as a support rep, who may:
    • Request remote access via AnyDesk or TeamViewer.
    • Ask for credit card details to “cancel the subscription.”
    • Persuade the victim to install malware under the guise of resolving billing issues.
    • Attempt bank account manipulation or social engineering.

More Real Abuse Examples (Indicators)

Service: DocuSign

 

Service: HelloSign (Dropbox Sign)

Why Attackers Leverage Legitimate Services

The use of trusted platforms in phishing campaigns is not coincidental—it's a calculated move by threat actors to increase both delivery success and user engagement. Here’s why this technique is particularly effective:

  1. Higher Success Rates Compared to Traditional Phishing

Phishing emails that abuse legitimate services often exhibit far higher success rates than generic spam campaigns. By embedding phishing within the context of a real service—like an e-signature request or shared document—attackers exploit the inherent trust users place in these platforms. Recipients are more likely to click links or download attachments when they appear to come from familiar, widely-used business tools.

  1. Bypasses Email Security Controls

Since these emails are routed through the infrastructure of trusted services (e.g., Asana, DocuSign, Dropbox Sign), they bypass many traditional perimeter defenses and algorithms such as sender domain reputation, check for first time sender . Corporate email gateways, which typically rely on sender reputation and content heuristics, will allow these messages through without triggering alerts. These platforms are on allowlists in many environments, reducing the likelihood of quarantine or blocking.

  1. SPF, DKIM, and DMARC All Pass

One of the key reasons these emails evade detection is because they originate from legitimate domains with properly configured SPF, DKIM, and DMARC records. Since all authentication checks pass, there are no red flags raised during the email validation process—making these phishing attempts blend in with genuine business communication.

  1. Legitimacy Through Familiar Format

The use of invoice-themed lures from e-signature or document platforms (e.g., DocuSign, Dropbox Sign) adds another layer of credibility. These services naturally send invoices, signature requests, and financial documents as part of their core functionality. When users receive such messages, especially in busy work environments, they are less likely to question the legitimacy of the content or verify the sender.

 

Bypassing Domain/URL Reputation checks through the use of Trusted Domains

Modern security solutions often rely on auxiliary telemetry, such as DNS resolution patterns, URL reputation, and domain classification to detect suspicious activity. These mechanisms are particularly effective against newly registered domains, low-reputation infrastructure, or domains queried infrequently across global DNS resolvers.

Here's how it typically works:

  • When a URL appears in an email, the DNS resolver tracks query volume, query sources, and resolution timing.
  • Security backends use this data to compute features like:
    • Number of unique clients querying a domain.
    • Geo-distribution and behavioural patterns of those queries.
    • Age and registration information of the domain (via WHOIS).
  • Low-volume, recently registered domains with limited query diversity are often flagged as suspicious or malicious.

However, this model breaks down completely in the case of trusted service abuse.

In these phishing scenarios:

  • URLs and payloads are hosted on legitimate infrastructure such as:
    • docusign.net
    • app.hellosign.com
    • asana.com
    • storage.googleapis.com
    • appspot.com, etc.
  • DNS queries for these domains are ubiquitous, as they serve both legitimate and malicious traffic.
  • There is no domain-age anomaly, no low-resolution volume, and no unusual DNS behaviour to distinguish the phishing attempt.
  • As a result: By the time any anomaly is noticed (e.g., repeated resolution from infected hosts), the phishing workflow is often complete.

 

NACETM Detection Approach

Neural Analysis and Correlation Engine (NACETM) is purpose-built to detect advanced phishing threats that bypass conventional security controls—along with those leveraging trusted services. NACETM was successfully able to identify platform abuse campaigns as phishing.

At the core of NACE’s detection strategy is intent recognition i.e. purpose or deeper meaning of email which acts as a core feature for decision making. Rather than relying solely on static indicators like sender domain or URL reputation, NACE begins by analysing the semantic meaning embedded in an email i.e. intent of the email. This involves identifying the underlying purpose of the message—such as initiating a payment, requesting account verification, or prompting a callback.

NACE models also detect brand impersonation themes, specifically focusing on co-occurrence between impersonated brands (e.g., Norton, Geek Squad, DocuSign) and features like callback numbers, invoice urgency, or account renewal semantics.

To achieve this:

  • NACE leverages Sentence Transformers to generate semantic embeddings for the full email content.
  • These embeddings are then compared using cosine similarity against a curated repository to identify the deeper meaning or purpose i.e. intent of an email, particularly to check if these have been used to deliver callback phishing and impersonation lures.
  • When a high-confidence match is detected, contextual relationship between intent and auxiliary features such as, the presence of phone numbers, brands, Hosting domains (e.g., DocuSign or Dropbox Sign), the visual and structural layout of attachments or linked pages aids to detect phishing emails

This multi-layered AI-driven analysis enables NACE to accurately flag phishing emails—even when they originate from legitimate, trusted platforms and pass traditional email authentication mechanisms like SPF, DKIM, and DMARC.

 

Conclusion

The exploitation of legitimate platforms like HelloSign, DocuSign, Asana, and Adobe Sign marks a significant evolution in phishing tactics. Rather than relying on suspicious domains or traditional payload delivery, threat actors now craft credible, interaction-based lures that easily bypass conventional security layers—appearing authentic to both users and automated defenses. 

By leveraging the inherent trust users place in these services, attackers gain a substantial advantage: emails pass SPF, DKIM, and DMARC checks, evade URL-based detection, and blend seamlessly into normal communication flows. Combined with callback phishing elements, fake case IDs, and impersonated brand language, these campaigns become highly effective and difficult to detect.

InceptionCyber.ai’s Neural Analysis and Correlation Engine (NACE) —uses AI-powered intent recognition i.e. purpose and deeper meaning of an email, and contextual relationship between intent and auxiliary features aids to detect Phishing attempts.

As phishing threats continue to evolve, staying informed and investing in advanced detection strategies is essential.


👉 Explore more on phishing defense: https://inceptioncyber.ai/stop-phishing-and-malicious-urls
Post by Kalpesh Mantri, Principal Research Engineer
Apr 21, 2025 4:15:43 PM