Proofpoint Alert Details
Alert ID: PROOFPOINT-PHISH-1566-7842
Alert Time: 2024-02-12 09:30:15 EST
Severity: HIGH (85/100)
Source: Proofpoint Targeted Attack Protection (TAP)
Rule: “Credential Phishing – Brand Impersonation”
MITRE ATT&CK: T1566 – Phishing
Alert Details:
Email Analysis Report:
Sender: noreply@docusign-verify[.]net
Reply-To: support@document-processing[.]com
Subject: “Action Required: Document Ready for Signature – DocuSign”
Recipients: 124 employees (All departments)
Time: 2024-02-12 09:15 EST
Email Headers:
– Return-Path: bounce@marketing-server[.]ru
– SPF: FAIL (sender IP 185.143.221[.]67 not authorized)
– DKIM: none
– DMARC: FAIL
– X-Originating-IP: 185.143.221[.]67
Email Body:
“Dear Employee,
You have a document ready for signature via DocuSign.
Document: Q1_Sales_Contract_2024.pdf
Sender: Legal Department
Deadline: 24 hours
To review and sign this document, please click the secure link below:
https://docusign-document[.]com/verify/NDg3Mjg0NzI=
This link will expire in 24 hours.
Thank you,
DocuSign Team”
URL Analysis:
– Domain: docusign-document[.]com
– Registration: 2024-02-11 (1 day ago)
– Registrar: Namecheap (privacy protected)
– Hosting IP: 185.143.221[.]67 (Bulgaria)
– URLScan.io: Phishing page mimicking DocuSign login
– VirusTotal: 52/94 vendors flag as malicious
Attachment: None (link-based phishing)
Threat Intelligence:
– Domain pattern matches known DocuSign phishing campaign
– IP 185.143.221[.]67 associated with TA571 (credential harvesting)
– Similar emails targeting multiple industries this week
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify email analysis in Proofpoint
Proofpoint TAP Console
Confirmed malicious DocuSign phishing
2. URL Analysis
Investigate phishing domain
URLScan.io, VirusTotal
Domain hosts fake DocuSign login page
3. Recipient Identification
Identify all targeted users
Proofpoint Logs, AD
124 users across all departments
4. Email Remediation
Quarantine and remove emails
Proofpoint, Exchange Online
All 124 emails quarantined; purged from inboxes
5. User Notification
Alert targeted users
Email, Teams, Slack
All users notified; 3 reported clicking link
6. Click Investigation
Check if any credentials entered
CrowdStrike Falcon, Web Logs
3 users clicked link but did not enter credentials
Jira Incident Report
Ticket: SOC-2024-061
Summary: T1566 – DocuSign Credential Phishing Campaign
Status: RESOLVED
Resolution: MALICIOUS – Phishing Blocked
Priority: P2 – MEDIUM
Labels: T1566, phishing, credential-harvesting, docusign, proofpoint
Components: Email-Security, Phishing-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Proofpoint Targeted Attack Protection (TAP).
Alert: “Credential Phishing – Brand Impersonation”.
Targets: 124 employees (all departments).
Time: 2024-02-12 09:30 EST.
Technique: MITRE ATT&CK T1566 – Phishing.
2. Technical Analysis:
Email Details:
Sender: noreply@docusign-verify[.]net (spoofed)
Subject: “Action Required: Document Ready for Signature – DocuSign”
Theme: Urgent document signature request
Social Engineering: Legitimate DocuSign branding, 24-hour deadline
Infrastructure Analysis:
Domain: docusign-document[.]com (registered 2024-02-11)
IP: 185.143.221[.]67 (Bulgaria VPS)
Hosting: Fake DocuSign login page capturing credentials
SSL: Let’s Encrypt certificate issued to “DocuSign Secure”
Email Authentication:
SPF: FAIL (sender not authorized)
DKIM: none
DMARC: FAIL
Confirmed spoofing attempt
Campaign Impact:
124 internal recipients
All emails quarantined within 15 minutes of delivery
3 users clicked link (but did not enter credentials)
No credentials compromised
3. Investigation Findings:
Timeline:
09:15 – Email delivered to 124 users
09:18 – Proofpoint TAP analyzes and flags as malicious
09:20 – Email automatically quarantined
09:30 – SOC alert generated
09:32 – Investigation begins
09:35 – All users notified
09:40 – 3 clickers identified and interviewed
09:45 – Domain/IP added to blocklists
Click Analysis:
3 users clicked link (Sales, Marketing, HR)
All reported landing on “DocuSign login page”
None entered credentials (suspicious URL raised flags)
Endpoint scans showed no compromise
Indicators of Compromise (IoCs):
Email:
– Sender: noreply@docusign-verify[.]net
– Subject: “Action Required: Document Ready for Signature – DocuSign”
Network:
– Domain: docusign-document[.]com
– IP: 185.143.221[.]67
– URL: hxxps://docusign-document[.]com/verify/NDg3Mjg0NzI=
4. Containment Actions:
Immediate Remediation (09:30-09:45 EST):
All 124 emails quarantined via Proofpoint.
Purged from user inboxes using Exchange Online.
Domain and IP blocked at firewall and DNS.
URL added to web proxy blocklist.
User Notification (09:35-10:00 EST):
All 124 users contacted via email and Teams.
3 clickers interviewed; confirmed no credential entry.
Security awareness reminder sent to all employees.
Takedown Request (09:45 EST):
Reported to Namecheap abuse.
Domain suspended within 12 hours.
5. Root Cause Analysis:
Primary Cause: External attacker conducting DocuSign-themed phishing campaign.
Contributing Factors:
Employees regularly receive legitimate DocuSign emails.
Brand impersonation effective due to familiarity.
3 users clicked despite training.
6. Business Impact:
Operational Impact: None.
Data Exposure: None (no credentials entered).
Reputational Impact: None.
7. Remediation & Prevention:
Completed Actions:
All malicious emails removed.
Infrastructure blocked.
Clickers educated.
Takedown requests submitted.
Prevention Enhancements:
Enhanced Proofpoint rules for DocuSign impersonation.
Added “DocuSign” to brand impersonation protection.
Scheduled department-specific phishing simulation.
8. Conclusion:
This incident involved a DocuSign-themed credential phishing campaign targeting 124 employees. Proofpoint’s detection and automated quarantine prevented widespread exposure. Three users clicked the link but did not enter credentials. No compromise occurred.
Closure Rationale: Phishing blocked; clickers educated; no credentials compromised.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-12 10:30 EST