DocuSign Themed Phishing Using Cloud Storage

Researchers at Proofpoint have published their analysis of an ongoing observed phishing campaign targeting specific individuals, using DocuSign-themed lures and leveraging a public cloud storage service to host landing pages. The targeted users are from a variety of companies, but there appears to be no industry-specific targeting.

The landing pages contain obfuscated JavaScript code and draw resources from multiple sites, some of which have TLS certificates associated with the email address contained in the list of IoCs below.

The listed domains presently have TLS certificates from “Let’s Encrypt” and all appear to have been registered by “[email protected]”.

Malicious email template sent using stolen DocuSign branding – Image via Proofpoint

Indicators of Compromise

Domains

  • postmasterpledge.ru
  • dataanarchyofsons.site
  • whistleobohemian.info
  • 300spartans.dancelikejoseph.xyz
  • xplicate.dancelikejoseph.info
  • dancelikejoseph.site

IP Addresses

  • 185.255.79.118
  • 194.58.112.174

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: