MailGuard has intercepted a new phishing email scam that is deceptively simple in appearance but highly sophisticated in execution. Disguised as a legitimate Docusign request, the scam leverages compromised infrastructure and advanced evasion techniques to target users’ email credentials.
Here's a summary of how the scam operates, what makes it particularly dangerous, and how businesses can protect themselves.
What the Attack Looks Like
The email arrives with the subject line:
FW: Re: EFT_Electronic Payment confirmation#369Q47 Processing Completed
It mimics a secure document notification from Docusign, complete with branding and formatting that resembles authentic messages.
Here's an example of what the phishing email looks like 👇
Upon clicking the “View” button, the recipient is redirected through to a Cloudflare CAPTCHA page — a tactic used by cybercriminals to avoid automated detection — and lands on a phishing page designed to harvest credentials.
Here's an example of the Cloudflare CAPTCHA screen 👇
The landing page is styled to match Microsoft Office’s web login, and cleverly pulls the favicon (icon) from the recipient’s own company domain to enhance perceived legitimacy.
And this is what the credential phishing screen looks like 👇
It prompts users to log in using their email address and password, regardless of their mail provider — with generic logos like Gmail, Outlook, and Webmail shown at the bottom to feign universal compatibility.
Scams impersonating Docusign are not uncommon, such as these ones from February and May 2023, and February 2024.
What Makes This Attack So Sophisticated?
🔍 Favicon Spoofing
The phishing site fetches the favicon from the recipient's real domain, making the site appear even more legitimate in the browser tab.
🛡 Evasion Techniques
By using a Cloudflare CAPTCHA, the site prevents automated scanners from detecting the malicious payload. Only a human can pass the challenge — and then unknowingly land on the trap.
🌐 Widespread Compatibility Branding
The use of multiple email platform logos at the bottom of the login page is designed to reassure users that “any email system” is supported, subtly pressuring victims to proceed regardless of what provider they use.
Stay Safe – Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
🚫 Avoid emails that:
- Aren’t addressed to you personally.
- Are unexpected and urge immediate action.
- Contain poor grammar or miss crucial identifying details.
- Direct you to a suspicious URL that isn’t associated with the genuine company.
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late.
Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One email is all that it takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters! Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
