The DocuSign Email That Wasn’t – A Three-Redirect Credential Harvest

A phishing email disguised as a DocuSign notification tricked recipients into clicking a malicious link. This link utilized a redirect chain, starting with Google Maps and leading to an Amazon S3-hosted credential harvesting page. The email convincingly impersonated DocuSign, using familiar branding and a "Review & Sign" button. The redirect chain bypassed standard URL scanners, making the malicious destination appear safe. The email's authentication checks, including SPF and DMARC, failed to identify the attack. The attackers also included realistic law firm footers to enhance the email's legitimacy and build trust. The ultimate goal was to steal Microsoft 365 login credentials through the convincing phishing page. IRONSCALES' Adaptive AI detected the attack based on behavioral mismatches between the sender's infrastructure and the claimed DocuSign identity. The AI identified the threat within 90 seconds, quarantining the email before any clicks occurred. The incident highlights the vulnerability of traditional email security that relies solely on first-hop URL reputation.