In recent months, we’ve seen a rise in volumetric phishing attacks that lack the consistency typical of volumetric phishing attacks. Unlike attacks that use minor customizations (e.g. filling in the recipient’s email address for example), these attacks often use a wide variety of different subject lines, email content, email addresses, display name spoofs, and destination URLs.
Let’s take a look at one example, identified around noon ET on April 9. Found in 26% of our customer base, the attack is designed to look like a notification from DocuSign. DocuSign, like many well-known companies, is often the reputation target of brand impersonations. What’s notable however is that across the attack data set we identified: 2 sender email addresses, 3 display name variations, 3 subject lines, 6 different return paths, and 10 root destination domains. Such wide variability makes it harder for tools that rely heavily on threat intelligence to identify new threat variants before a user interacts with the email.
In addition to this variation in component parts, the attack also reemphasized how attackers use preexisting domains with lengthy histories (in this case, the sending domains and destination URLs were established in 2016 and 2017) – either set up by legitimate businesses and then hacked or purchased, or that were registered by the attackers themselves with an eye toward future use. While the creation of a new domain can certainly be one indicator of a potentially malicious website, attackers frequently use older domains to carry out their attack.
More details on this attack can be found below, but you can be sure to see more of this in the future.
GreatHorn Security Response:
- Attack emails within GreatHorn’s customer base were correctly identified as suspicious under GreatHorn’s proactive threat detection techniques
- All attack emails within GreatHorn’s customer base have been removed from both customer inboxes and junk folders.
- All customers of GreatHorn Email Security can rest assured that this destination has been added to GreatHorn’s blacklist, ensuring that all future emails will be blocked
- GreatHorn customers will also see a new DocuSign-specific policy in their policy engine
- Subject lines vary but reference a DocuSign “notification” or “invoice.” GreatHorn saw the following subject lines:
- “You got notification from DocuSign Electronic Signature Service”
- “You received notification from DocuSign Signature Service”
- “You received invoice from DocuSign Service”
- The sender email address was consistently from either [email protected] or [email protected], with half a dozen different return paths, and a display name that appeared as one of the following:
- DocuSign Electronic Signature and Invoice
- DocuSign Signature Service
- DocuSign Signature
- Destination URLs were varied – with at least 10 different variants used, including root domains such as:
We are continuing to monitor for new variations of this attack and will provide additional information and remediation support as our investigation continues.
If you have any questions or concerns, please feel free to contact the GreatHorn team at [email protected].