Living Off the Land: Credential Phishing via Docusign abuse

Sublime's Attack Spotlight series aims to educate users about email threats, highlighting real-world attacks, adversary tactics, and detection methods. A recent credential phishing attack exploited the trusted Docusign platform to redirect users to a fake Microsoft login page, using high-reputation domains and multiple redirects to evade detection. The phishing attempt includes a fake Microsoft login experience with multiple authentication clicks and CAPTCHA challenges to bypass automated URL analysis. A variant of the attack uses a fake HR email with a QR code to obscure malicious URLs. Sublime's AI-powered detection engine identifies such threats by analyzing suspicious Docusign notifications, new reply-to addresses, and landing pages with phishing indicators. Users can prevent these threats by creating a free Sublime account, which offers customizable protection against credential phishing and other email-based attacks.