August 12, 2019 By David Bisson < 1 min read

A new phishing campaign leveraged DocuSign branding along with a landing page hosted on Amazon public cloud storage (S3) to target users’ Microsoft Office credentials.

In late July, Proofpoint researchers observed a phishing campaign that used branding from electronic signature service DocuSign to target a small number of individuals in organizations across multiple verticals. Emails directed recipients to a landing page that also contained DocuSign branding on Amazon S3, a phishing site designed to steal users’ Office 365 credentials.

The attackers used extensive XOR obfuscation to safeguard their phishing landing page. Further investigation revealed that the threat actor behind this campaign had hosted other low-volume campaigns on AWS domains. Many of these similarly abused DocuSign and targeted users’ Microsoft Office credentials, but some of those attacks also exploited ShareFile.

A Rise in Cloud-Hosted Phishing Attacks

Cybercriminals have often turned to the cloud to host their phishing landing pages in the past several months. In February, for instance, EdgeWave observed attackers abusing Microsoft Azure to host a landing page for a campaign designed to steal employees’ Facebook credentials.

Netskope detected a similar operation targeting users’ Amazon details just a few months later. Similarly, the Zscaler ThreatLabZ team detected a phishing campaign that leveraged both Microsoft Azure and Microsoft SSL certificates to harvest unsuspecting users’ Outlook credentials.

How Quickly Can You Detect a Phishing Campaign?

Security leaders should consider investing in machine learning solutions to improve the speed at which their defenses can spot and block phishing domains. Analyzing phishing data in machine-deliverable threat intelligence can also help security teams prioritize specific attacks based on their threat rankings.

More from

How to calculate your AI-powered cybersecurity’s ROI

4 min read - Imagine this scenario: A sophisticated, malicious phishing campaign targets a large financial institution. The attackers use emails generated by artificial intelligence (AI) that closely mimic the company's internal communications. The emails contain malicious links designed to steal employee credentials, which the attackers could use to gain access to company assets and data for unknown purposes.The organization's AI-powered cybersecurity solution, which continuously monitors network traffic and user behavior, detects several anomalies associated with the attack, blocks access to the suspicious domains…

Being a good CLR host – Modernizing offensive .NET tradecraft

14 min read - The modern red team is defined by its ability to compromise endpoints and take actions to complete objectives. To achieve the former, many teams implement their own custom command-and-control (C2) or use an open-source option. For the latter, there is a constant stream of post-exploitation tooling being released that takes advantage of various features in Windows, Active Directory and third-party applications. The execution mechanism for this tooling has, for the last several years, relied heavily on executing .NET assemblies in…

The current state of ransomware: Weaponizing disclosure rules and more

4 min read - As we near the end of 2024, ransomware remains a dominant and evolving threat against any organization. Cyber criminals are more sophisticated and creative than ever. They integrate new technologies, leverage geopolitical tensions and even use legal regulations to their advantage.What once seemed like a disruptive but relatively straightforward crime has evolved into a multi-layered, global challenge that continues to threaten businesses and governments alike.Let’s take a look at the state of ransomware today. We’ll focus on how cyber criminals…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today