Living Off the Land: Callback Phishing via Docusign comment

Sublime's Attack Spotlight series highlights the evolving email threat landscape by showcasing real-world attack samples, including a recent callback phishing attempt exploiting DocuSign, a trusted business service. This attack exemplifies the growing trend of Living Off the Land (LOTL) tactics, where legitimate platforms are misused to bypass security measures, with attackers sending authentic-looking emails from docusign[.]net, which pass sender authentication. The phishing scheme involves using PayPal brand impersonation and unusual financial transaction details to create urgency and deceive recipients into calling a listed phone number, potentially leading to credential theft. Sublime employs a multi-layered defense strategy using an AI-powered detection engine to identify and prevent such threats, with specific focus on brand impersonation, engaging callback language, and suspicious reply-to addresses. The company encourages deploying their free platform to counteract callback phishing, service abuse, and other email-based threats, while also addressing other attack types like adversarial machine learning extortion, payroll fraud, and business email compromise attempts.