Flask-Based Docusign Phishing Kit Exploits Vercel Cloud Platform with Dynamic Branding
Attack Overview
Step 1: Docusign Document Review Notification
The attacker sends phishing emails impersonating Docusign-themed document sharing notifications to entice recipients.
- Email subject references "contract.pdf document awaiting review" to create urgency around business documents.
- Message uses Docusign branding and familiar interface elements including "REVIEW DOCUMENT" call-to-action button.
- Email includes standard Docusign footer messaging about secure links and Digital Transaction Management to enhance legitimacy.
Step 2: Vercel-Hosted Flask Application Provides Trusted Infrastructure
The phishing site is deployed using a Flask-based credential harvesting application hosted on Vercel's legitimate cloud platform.
- Phishing site hosted on servdata.vercel[.]app domain, leveraging Vercel's trusted cloud platform reputation.
- Flask-based framework optimized for Vercel deployment with built-in evasion techniques and multiple credential collection stages.
- Trusted hosting platform typically not blocked by security gateways, allowing emails to bypass reputation filters.
Step 3: Dynamic Branding and CAPTCHA-Protected Credential Harvesting
The phishing kit dynamically customizes the attack interface while implementing protection against automated analysis.
- Kit dynamically pulls organization branding and logos via API calls to create convincing, target-specific phishing interfaces.
- CAPTCHA verification implementation prevents automated scanning tools from analyzing the phishing content.
- Final credential harvesting page requests email and password with privacy policy messaging to appear legitimate.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- Phishing site hosted on Vercel's legitimate cloud platform, which is typically not blocked by security gateways.
- Dynamic impersonation capabilities pull organization branding and logos via API calls to create convincing, target-specific interfaces.
- CAPTCHA protection implementation prevents automated scanning tools from analyzing the phishing content.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Behavioral AI flagging never-before-seen senders, unusual email content, and URLs as anomalies that enable detection of novel attacks.
- Content analysis and natural language processing recognizing urgency and financial implications as indicators of suspicious activity.
- Detection of brand impersonation and deceptive link behavior despite legitimate hosting infrastructure.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.