Microsoft 365 business users targeted with new DocuSign phishing scam

A smartphone with the Microsoft 365 logo displayed, held in front of a blurred Microsoft banner

A new business email compromise (BEC) campaign has been targeting Microsoft 365 organizations in a bid to hack corporate executives’ accounts and maliciously divert business payments.

Researchers from cyber security firm Mitiga found that the hackers are leveraging inherent weaknesses in 365’s multi-factor authentication (MFA), Microsoft Authenticator, as well as Microsoft 365 Identity Protection.


Storage's role in addressing the challenges of ensuring cyber resilience

Understanding the role of data storage in cyber resiliency


The attacks combine spear-phishing tactics with man-in-the-middle methods to compromise email accounts. The attackers essentially hijack business transactions by sending an email from the account to its intended recipient with a request to change the receiving bank account, according to Mitiga research.

These emails trick the recipient into believing that the usual payment account has been frozen and convincing them to use alternative accounts belonging the threat actor.

The attacker will also hijack email chains with forged 'typosquatting' domains that appear genuine at first glance due to stealthy character changes.

Mitiga’s researchers discovered the campaign when investigating a failed attack, which indicated that the attacker had access to sensitive information only obtainable by compromising a user’s account.

Spoofed DocuSign login page

As part of its investigation, the firm discovered unauthorized access to an executive’s 365 account from multiple locations, including Singapore, Dubai, and San Jose, California.

The compromise leveraged a man-in-the-middle phishing technique for initial access to the account and mailbox. The initial email was created to mimic a request from DocuSign, accurately imitating the layout of the popular electronic business agreements management platform with a spoofed address.

Although that does not pass DMARC checks, a misconfiguration in the client environment used to minimise spam alerts from DocuSign meant the email was not blocked and appeared as legitimate in the executive’s email inbox, the firm said.

Upon clicking the “Review Document”, the victim would then have been prompted to enter their Microsoft Azure login details into a malicious domain. As part of these tactics, the threat actor uses a phishing framework such as evilginx2 proxy that acts as a middle agent between the spoofed login page and the real one.

As the victim enters their details, the session cookie is snatched by the attacker and used to assume the user’s session, without needing to re-enter a password or approve an MFA request. The victim is then directed to a generic DocuSign error page.

Nullifying multi-factor authentication

Compounding the breach further, however, was the fact that the attacker was then free to set up a second authenticator app for the user without their knowledge, which essentially enables persistent access to the account after the session expires or is revoked.

“This gave the attackers full persistency of the breached account and effectively nullified the value of MFA,” Mitiga said.

In the incident investigated, the security firm said attackers accessed Exchange and SharePoint, but had not yet picked their moment to take action from the inbox.

Concluding its findings, Mitiga said that, although preventing these types of attacks is difficult, containing and limiting them should be relatively straightforward by requiring an MFA challenge for security related activities. However, Microsoft currently does not offer this.

“Given the accelerated growth of [these] attacks (even without the persistency allowed by an attacker adding a new, compromised, authentication method), it is clear that we can no longer rely on multi-factor authentication as our main line of defense against identity attacks,” it said.

“We strongly recommend setting up another layer of defense, in the form of a third factor, tied to a physical device or to the employee’s authorized laptop and phone.”

The firm added: “Microsoft 365 offers this as part of Conditional Access by adding a requirement to authenticate via an enrolled and compliant device only, which would completely prevent [these] attacks.”

Daniel Todd

Dan is a freelance writer and regular contributor to ChannelPro, covering the latest news stories across the IT, technology, and channel landscapes. Topics regularly cover cloud technologies, cyber security, software and operating system guides, and the latest mergers and acquisitions.

A journalism graduate from Leeds Beckett University, he combines a passion for the written word with a keen interest in the latest technology and its influence in an increasingly connected world.

He started writing for ChannelPro back in 2016, focusing on a mixture of news and technology guides, before becoming a regular contributor to ITPro. Elsewhere, he has previously written news and features across a range of other topics, including sport, music, and general news.