The STN Security team has identified a new attack vector leveraging legitimate platforms that lures users into credential harvesting schemes.
In this attempt, attackers exploit DocuSign, a well-known electronic signature platform, to send convincing emails that prompt users to scan a QR code, leading them to a malicious Microsoft login page designed to harvest their credentials.
Attack Vector
1. Initialization
The attack begins with the victim receiving a legitimate-looking email from DocuSign, delivered from the official DocuSign domain. This email is carefully crafted to avoid suspicion and contains no malicious links or attachments, allowing it to bypass most email security filters.
2. Foothold
Upon clicking the link within the email, the user is directed to the legitimate DocuSign portal, where they can view and interact with the document. However, within the document is a seemingly harmless QR code that the user is prompted to scan.
3. Credential Harvesting
When the user scans the QR code, they are redirected to a malicious domain that mimics a Microsoft login page. This fake page is the crux of the attack, designed to trick the user into entering their Microsoft credentials. Once entered, these credentials are captured by the attackers for further exploitation.
Technical Indicators of Compromise (IoCs)
• QR Code URL: https:// qrco. de/ bfTQau
This URL redirects users to the following credential harvesting page:
• Malicious Domain: https:// c1ient-index1oginauthonilne. aws-docusign-verify. workers.dev
This page is designed to resemble a Microsoft login page but is a credential harvester.
• Fake Microsoft Login Page: Hosted on a worker domain, this page captures the victim's credentials under the guise of a legitimate login prompt.
Why This Attack Is Dangerous
1. Legitimate Source:
The phishing email originates from the official DocuSign domain, which gives it a high level of credibility, making it more likely to be trusted by recipients.
2. Seamless User Experience:
The email directs users to the legitimate DocuSign platform, further reducing suspicion. The attack vector leverages a QR code embedded in the document, which users are inclined to scan, particularly on mobile devices.
3. Evasion of Traditional Security Solutions:
- Endpoint Detection and Response (EDR) Bypass: Since the QR code is scanned on mobile devices, it bypasses traditional endpoint security solutions installed on computers.
- Network Detection Evasion: By utilizing a QR code, attackers can circumvent network-based security controls, as the scanning and subsequent connection to the malicious page occur outside of the corporate network.
Recommended Actions
1. Employee Training:
Ensure that employees are trained to recognize suspicious emails and the potential risks of scanning QR codes. As part of regular cybersecurity training, highlights the increasing use of QR codes in phishing campaigns.
2. MFA Deployment:
Implement Multi-Factor Authentication (MFA) for all users. Even if credentials are compromised, MFA can prevent unauthorized account access.
3. Mobile Device Management (MDM):
Deploy mobile security solutions and Mobile Device Management (MDM) to monitor and secure mobile devices, reducing the risk of credential harvesting from devices that do not have sufficient security controls.
4. Reporting:
Encourage users to report any suspicious activity immediately to the security team. Early detection of phishing attacks can help prevent broader compromise.
5. SOC Team:
If a similar incident or a BEC has occurred in the environment contact the Security Operations Centre.
This new phishing attack demonstrates the increasing sophistication of social engineering techniques.
By utilizing trusted platforms such as DocuSign and leveraging QR codes, attackers are able to bypass traditional security mechanisms. Organizations must remain vigilant, continue to educate users, and implement comprehensive security measures to mitigate the risks associated with such attacks.
