Summary:
Cado Security Labs has uncovered a spearphishing campaign targeting tech executives through fraudulent DocuSign emails. These emails mimic legitimate communications to deceive recipients into providing their credentials on malicious sites. The campaign utilizes compromised email accounts and sophisticated tactics to appear authentic, posing a significant threat to organizations.
#DocuSignPhishing #SpearPhishing #CredentialTheft
Cado Security Labs has uncovered a spearphishing campaign targeting tech executives through fraudulent DocuSign emails. These emails mimic legitimate communications to deceive recipients into providing their credentials on malicious sites. The campaign utilizes compromised email accounts and sophisticated tactics to appear authentic, posing a significant threat to organizations.
#DocuSignPhishing #SpearPhishing #CredentialTheft
Keypoints:
Recent spearphishing campaign targeting tech executives using DocuSign emails.
Fraudulent emails mimic legitimate DocuSign communications to steal credentials.
Emails often use compromised accounts to pass DMARC checks.
Japanese email accounts are frequently used due to their higher reputation.
Phishing emails include links to malicious sites disguised as legitimate services.
Obfuscated Javascript scripts are used to redirect users to credential-stealing pages.
Campaigns aim to steal credentials for further attacks, including BEC scams.
Ongoing issue for organizations, exploiting trusted electronic signature platforms.
Recommendations include marking suspicious emails as spam and enabling 2FA.
MITRE Techniques:
Phishing (T1566): Utilizes fraudulent emails to deceive recipients into providing sensitive information.
Credential Dumping (T1003): Steals user credentials for further exploitation in attacks.
Command and Control (T1071): Redirects users to malicious sites to maintain communication with compromised systems.
IoC:
[domain] yperbole9[.]com
[domain] blegabouc[.]com
[email] @anabuki-enter.co.jp
[email] @jaog.or.jp
[file name] Share transfer & Subscription Agreement_062024.docx Copy.docx_PM5235627.pdf
[file name] NdoGg8EElI
Mitigation:
Mark emails that don’t pass SPF, DKIM, and/or DMARC as spam/suspicious.
Educate employees on identifying phishing emails and appropriate actions.
Verify the sender’s email address instead of relying on aliases.
Avoid clicking links or opening attachments in unsolicited emails.
Enable 2-Factor Authentication (2FA) on all accounts.
Log into DocuSign to verify document legitimacy using the Access Code.
Full Research: https://www.cadosecurity.com/blog/the-growing-threat-of-docusign-phishing-attacks