Phishing: Your Document Has Been Completed

Posted on by Tony Redmond
Phishing message telling user that their document has been completed
The wonky email address is enough to reveal the purpose of this phishing attempt

Luring the Unwary into Clicking an Attachment

The growing popularity of cloud services makes it common to receive documents for eSignatures from services like DocuSign or Adobe Sign. Attackers note trends like this and try to exploit the tendency of humans to accept things on face value, which is the basis of this phishing attempt.

The attack is relatively crude as the signs that the message is false are pretty obvious. First, no respectable eSigning service would send messages from a public email service like bluewin.ch (run by SwissCom in Switzerland). Second, the email address to the left of the domain is obfuscated. (In this case, the address is microsoftexchange3297e09615bc6ab6ce41109eerror329e71ec88ae4615bbc36ab6ce41109eerror329e71ec88ae4615bbc36ab6ce41109eerror329e71ec88ae4615bbc36ab6ce41109eerror329e71ec88ae4615bbc36ab6ce41109e@bluewin.ch).

Seeing an address like this is suspicious because there’s no reason for a legitimate service to disguise their email address in customer communications. For example, DocuSign uses dse@docusign.net for its notifications). Further examination of the message header with the useful Message Header Analyzer (MHA) add-on for Outlook didn’t reveal anything to make me believe that the message was valid.

Examining the Link

The next thing is to look at its payload. The user is asked to click a link to see a PDF document. The reader is conned into believing that the link will take them to OneDrive (using a blurry graphic), but it really leads to digitaloceanspaces.com. There’s no need to go any further to prove that this message is a phishing attempt because no valid communication would signal that it comes from OneDrive and go to a developer site.

Reporting Phishing Messages

If you receive a message like this, you can report it to Microsoft with Outlook or OWA. Microsoft analyzes reported messages to understand the techniques used by attackers to bypass anti-malware checks such as Exchange Online Protection. The intelligence gathered is used to improve the checks.

Given the volume of spam and malware (53.49% of total email volume in September 2018), some phishing messages will always get through. Here are two other examples of recent phishing attempts: “Encrypted file from OneDrive” and “Retrieve pending messages for domain.”

Office 365 includes good out-of-the-box protection, but admins need to understand how to use Exchange Online Protection and users need some help to understand how to detect any bad stuff that arrives in their inboxes.

The array of anti-malware checks and tools available in Exchange Online Protection and Advanced Threat Protection for Office 365 are described in Chapter 17 of the Office 365 for IT Pros eBook. Because I read Chapter 17, I knew what to look for in the bad message.

One Reply to “Phishing: Your Document Has Been Completed”

  1. Pingback: Marking External Email with an Exchange Transport Rule - Office 365 for IT Pros

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.