Novel attack used DocuSign exploits trusted cloud services

An Armorblox report revealed that threat actors have launched an advanced phishing campaign leveraging DocuSign and a compromised email domain of a third party against a leading US-based integrated payments solution firm in an effort to exfiltrate Microsoft Outlook login credentials, according to Threatpost. Researchers noted that nearly 550 employees of the targeted firm were sent the same emails from "Hannah Mcdonald" that includes a link for a revised contract. Recipients clicking the link have been redirected to a DocuSign preview of an electronic document, which researchers found to be hosted on the legitimate cloud-based prototyping portal Axure, and those who have put their login credentials on the phony Microsoft single sign-in login page could have been compromised, researchers said. Meanwhile, the emails' TermBrokersInsurance domain origins helped facilitate concealment. Armorblox product marketing manager Lauryn Cash said the incident highlighted the importance of integrated cloud email security as part of an organization's collection of security tools. "Tools that leverage natural language understanding (NLU) can help stop zero-day attacks," Cash said.