Proofpoint Alert Details
Alert ID: PROOFPOINT-PHISH-1566-7842
Alert Time: 2024-02-12 09:30:15 EST
Severity: HIGH (85/100)
Source: Proofpoint Targeted Attack Protection (TAP)
Rule: “Credential Phishing – Brand Impersonation”
MITRE ATT&CK: T1566 – Phishing
Alert Details:
Email Analysis Report:
Sender: noreply@docusign-verify[.]net
Reply-To: support@document-processing[.]com
Subject: “Action Required: Document Ready for Signature – DocuSign”
Recipients: 124 employees (All departments)
Time: 2024-02-12 09:15 EST
Email Headers:
– Return-Path: bounce@marketing-server[.]ru
– SPF: FAIL (sender IP 185.143.221[.]67 not authorized)
– DKIM: none
– DMARC: FAIL
– X-Originating-IP: 185.143.221[.]67
Email Body:
“Dear Employee,
You have a document ready for signature via DocuSign.
Document: Q1_Sales_Contract_2024.pdf
Sender: Legal Department
Deadline: 24 hours
To review and sign this document, please click the secure link below:
This link will expire in 24 hours.
Thank you,
DocuSign Team”
URL Analysis:
– Domain: docusign-document[.]com
– Registration: 2024-02-11 (1 day ago)
– Registrar: Namecheap (privacy protected)
– Hosting IP: 185.143.221[.]67 (Bulgaria)
– URLScan.io: Phishing page mimicking DocuSign login
– VirusTotal: 52/94 vendors flag as malicious
Attachment: None (link-based phishing)
Threat Intelligence:
– Domain pattern matches known DocuSign phishing campaign
– IP 185.143.221[.]67 associated with TA571 (credential harvesting)
– Similar emails targeting multiple industries this week
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify email analysis in Proofpoint | Proofpoint TAP Console | Confirmed malicious DocuSign phishing |
| 2. URL Analysis | Investigate phishing domain | URLScan.io, VirusTotal | Domain hosts fake DocuSign login page |
| 3. Recipient Identification | Identify all targeted users | Proofpoint Logs, AD | 124 users across all departments |
| 4. Email Remediation | Quarantine and remove emails | Proofpoint, Exchange Online | All 124 emails quarantined; purged from inboxes |
| 5. User Notification | Alert targeted users | Email, Teams, Slack | All users notified; 3 reported clicking link |
| 6. Click Investigation | Check if any credentials entered | CrowdStrike Falcon, Web Logs | 3 users clicked link but did not enter credentials |
Jira Incident Report
Ticket: SOC-2024-061
Summary: T1566 – DocuSign Credential Phishing Campaign
Status: RESOLVED
Resolution: MALICIOUS – Phishing Blocked
Priority: P2 – MEDIUM
Labels: T1566, phishing, credential-harvesting, docusign, proofpoint
Components: Email-Security, Phishing-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: Proofpoint Targeted Attack Protection (TAP).
- Alert: “Credential Phishing – Brand Impersonation”.
- Targets: 124 employees (all departments).
- Time: 2024-02-12 09:30 EST.
- Technique: MITRE ATT&CK T1566 – Phishing.
2. Technical Analysis:
- Email Details:
- Sender: noreply@docusign-verify[.]net (spoofed)
- Subject: “Action Required: Document Ready for Signature – DocuSign”
- Theme: Urgent document signature request
- Social Engineering: Legitimate DocuSign branding, 24-hour deadline
- Infrastructure Analysis:
- Domain: docusign-document[.]com (registered 2024-02-11)
- IP: 185.143.221[.]67 (Bulgaria VPS)
- Hosting: Fake DocuSign login page capturing credentials
- SSL: Let’s Encrypt certificate issued to “DocuSign Secure”
- Email Authentication:
- SPF: FAIL (sender not authorized)
- DKIM: none
- DMARC: FAIL
- Confirmed spoofing attempt
- Campaign Impact:
- 124 internal recipients
- All emails quarantined within 15 minutes of delivery
- 3 users clicked link (but did not enter credentials)
- No credentials compromised
3. Investigation Findings:
- Timeline:
09:15 – Email delivered to 124 users
09:18 – Proofpoint TAP analyzes and flags as malicious
09:20 – Email automatically quarantined
09:30 – SOC alert generated
09:32 – Investigation begins
09:35 – All users notified
09:40 – 3 clickers identified and interviewed
09:45 – Domain/IP added to blocklists
- Click Analysis:
- 3 users clicked link (Sales, Marketing, HR)
- All reported landing on “DocuSign login page”
- None entered credentials (suspicious URL raised flags)
- Endpoint scans showed no compromise
- Indicators of Compromise (IoCs):
Email:
– Sender: noreply@docusign-verify[.]net
– Subject: “Action Required: Document Ready for Signature – DocuSign”
Network:
– Domain: docusign-document[.]com
– IP: 185.143.221[.]67
– URL: hxxps://docusign-document[.]com/verify/NDg3Mjg0NzI=
4. Containment Actions:
- Immediate Remediation (09:30-09:45 EST):
- All 124 emails quarantined via Proofpoint.
- Purged from user inboxes using Exchange Online.
- Domain and IP blocked at firewall and DNS.
- URL added to web proxy blocklist.
- User Notification (09:35-10:00 EST):
- All 124 users contacted via email and Teams.
- 3 clickers interviewed; confirmed no credential entry.
- Security awareness reminder sent to all employees.
- Takedown Request (09:45 EST):
- Reported to Namecheap abuse.
- Domain suspended within 12 hours.
5. Root Cause Analysis:
- Primary Cause: External attacker conducting DocuSign-themed phishing campaign.
- Contributing Factors:
- Employees regularly receive legitimate DocuSign emails.
- Brand impersonation effective due to familiarity.
- 3 users clicked despite training.
6. Business Impact:
- Operational Impact: None.
- Data Exposure: None (no credentials entered).
- Reputational Impact: None.
7. Remediation & Prevention:
Completed Actions:
All malicious emails removed.
Infrastructure blocked.
Clickers educated.
Takedown requests submitted.
Prevention Enhancements:
Enhanced Proofpoint rules for DocuSign impersonation.
Added “DocuSign” to brand impersonation protection.
Scheduled department-specific phishing simulation.
8. Conclusion:
This incident involved a DocuSign-themed credential phishing campaign targeting 124 employees. Proofpoint’s detection and automated quarantine prevented widespread exposure. Three users clicked the link but did not enter credentials. No compromise occurred.
Closure Rationale: Phishing blocked; clickers educated; no credentials compromised.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-12 10:30 EST